[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [ MDVSA-2009:267 ] xmlsec1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:267
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xmlsec1
 Date    : October 10, 2009
 Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in xmlsec1:
 
 A missing check for the recommended minimum length of the truncated
 form of HMAC-based XML signatures was found in xmlsec1 prior to
 1.2.12. An attacker could use this flaw to create a specially-crafted
 XML file that forges an XML signature, allowing the attacker to
 bypass authentication that is based on the XML Signature specification
 (CVE-2009-0217).
 
 This update fixes this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
 http://www.kb.cert.org/vuls/id/466161
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 388b774554e4872b7aa863c8c8d3597c  
2008.1/i586/libxmlsec1-1-1.2.10-6.1mdv2008.1.i586.rpm
 fb14b0f6a2f4fd24219e2452557751cc  
2008.1/i586/libxmlsec1-devel-1.2.10-6.1mdv2008.1.i586.rpm
 326ce38b3d0600524984eb130244935f  
2008.1/i586/libxmlsec1-gnutls1-1.2.10-6.1mdv2008.1.i586.rpm
 3a5069b48d3790f5387bf0b889c0b33e  
2008.1/i586/libxmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.i586.rpm
 eebce4a7e7013ff9e32b5d4f5b1eeb13  
2008.1/i586/libxmlsec1-nss1-1.2.10-6.1mdv2008.1.i586.rpm
 2a6ba4dd01ab9ea497bcff0f67538fb3  
2008.1/i586/libxmlsec1-nss-devel-1.2.10-6.1mdv2008.1.i586.rpm
 975bd585cabd4af6a33f83894105d546  
2008.1/i586/libxmlsec1-openssl1-1.2.10-6.1mdv2008.1.i586.rpm
 486748866cfd54a77dd7193c1125d9e2  
2008.1/i586/libxmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.i586.rpm
 47d546bca4d9eabbd6156e32651b1d75  
2008.1/i586/xmlsec1-1.2.10-6.1mdv2008.1.i586.rpm 
 8eac3805b6f992c9203a66d5b35c3085  
2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 7484ba0791bd8706b852c2ae187e8786  
2008.1/x86_64/lib64xmlsec1-1-1.2.10-6.1mdv2008.1.x86_64.rpm
 771e9bd35a2901a224435f6d99885014  
2008.1/x86_64/lib64xmlsec1-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
 4b94e2c01cb70e38d670f6d97ccc3082  
2008.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-6.1mdv2008.1.x86_64.rpm
 e94a47d77ebc1b9d25861e83d5b56686  
2008.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
 3cc3249f6da0b6d215a9b8b57f2b9b69  
2008.1/x86_64/lib64xmlsec1-nss1-1.2.10-6.1mdv2008.1.x86_64.rpm
 09ce0f59062744d8ee0129255b99e48c  
2008.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
 7cd72245babca168b5160c201b3650d0  
2008.1/x86_64/lib64xmlsec1-openssl1-1.2.10-6.1mdv2008.1.x86_64.rpm
 682073d947d961647cafb6bc80ad3206  
2008.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
 90fddbd13802bf1cef89e4948063ada8  
2008.1/x86_64/xmlsec1-1.2.10-6.1mdv2008.1.x86_64.rpm 
 8eac3805b6f992c9203a66d5b35c3085  
2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 aef90b767a2e184dc2a2eec96cf2dd63  
2009.0/i586/libxmlsec1-1-1.2.10-7.1mdv2009.0.i586.rpm
 68ab430e0b63ec94f626168812909f5e  
2009.0/i586/libxmlsec1-devel-1.2.10-7.1mdv2009.0.i586.rpm
 932558e556911a0247fd96ca9af785d4  
2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.1mdv2009.0.i586.rpm
 a58e62c9234f4e3b2f6180b552348940  
2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.i586.rpm
 d377cfb8e2bc4ec3457d7133b1e35a84  
2009.0/i586/libxmlsec1-nss1-1.2.10-7.1mdv2009.0.i586.rpm
 839c04900e607dba7e2431f711191521  
2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.1mdv2009.0.i586.rpm
 7359aade4fce3137d90f1c4bca721f1d  
2009.0/i586/libxmlsec1-openssl1-1.2.10-7.1mdv2009.0.i586.rpm
 ba579a3d4cd326a1f055ef0943dbee73  
2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.i586.rpm
 82059801976d099e449944998126fda9  
2009.0/i586/xmlsec1-1.2.10-7.1mdv2009.0.i586.rpm 
 c2cf86a3ea639e2d1241c8e129141353  
2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 31c3d20e6b1d34a717772a4e439686c2  
2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.1mdv2009.0.x86_64.rpm
 c689e59d577bb5b278789c4118a7618c  
2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
 5b7b2e53969e052865edead9d0f715a7  
2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdv2009.0.x86_64.rpm
 02f857939f5450931ddf524d6d7c2300  
2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
 e16b2b9dd55c9e504fa5102665bda206  
2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdv2009.0.x86_64.rpm
 91cbad72b3fa2cbc600b9d5bb9dfeef4  
2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
 1a36234cb7159d784965e467c834097b  
2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdv2009.0.x86_64.rpm
 ebdc55d7854500a9bf383581a1244263  
2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
 8e059fd0e03d31b24f051877646a42fa  
2009.0/x86_64/xmlsec1-1.2.10-7.1mdv2009.0.x86_64.rpm 
 c2cf86a3ea639e2d1241c8e129141353  
2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 463cbcb0217b1a3b38a8be50ee3f3c54  
2009.1/i586/libxmlsec1-1-1.2.10-8.1mdv2009.1.i586.rpm
 720e8f608efb57405b85c887190bd007  
2009.1/i586/libxmlsec1-devel-1.2.10-8.1mdv2009.1.i586.rpm
 e56b286a1a9ff2048e4161d1c6750ac7  
2009.1/i586/libxmlsec1-gnutls1-1.2.10-8.1mdv2009.1.i586.rpm
 ea3b894c699ed5cb3d250a2815363845  
2009.1/i586/libxmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.i586.rpm
 df6e7309597adeeec626f072ba9b10a1  
2009.1/i586/libxmlsec1-nss1-1.2.10-8.1mdv2009.1.i586.rpm
 bd7d8418b77dc58657a3e7b2278fc7bf  
2009.1/i586/libxmlsec1-nss-devel-1.2.10-8.1mdv2009.1.i586.rpm
 8f5b2f6b6191af698aef68c4c31b848f  
2009.1/i586/libxmlsec1-openssl1-1.2.10-8.1mdv2009.1.i586.rpm
 1f5f51ec2a562a9668508b7e8f1edf79  
2009.1/i586/libxmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.i586.rpm
 dda711479dc6ac367a72880900884118  
2009.1/i586/xmlsec1-1.2.10-8.1mdv2009.1.i586.rpm 
 b2c8957e3cf68dd729ed999b1a8df4d4  
2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 c54eade2b73fb50287f0bdc9c8f7b746  
2009.1/x86_64/lib64xmlsec1-1-1.2.10-8.1mdv2009.1.x86_64.rpm
 4a062d6f23f6136faaa56376be7f8459  
2009.1/x86_64/lib64xmlsec1-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
 56c33b45f3e24d4f397565dee1f72026  
2009.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-8.1mdv2009.1.x86_64.rpm
 1bd20c0d3045cef364c42c56cc7df6d1  
2009.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
 bf92e675998bc1fefcfe5cc3f5a569a0  
2009.1/x86_64/lib64xmlsec1-nss1-1.2.10-8.1mdv2009.1.x86_64.rpm
 168787927b24a7da78717d4c246685bd  
2009.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
 404498bd0f6e29dda4d556fdcce71e4a  
2009.1/x86_64/lib64xmlsec1-openssl1-1.2.10-8.1mdv2009.1.x86_64.rpm
 18058e3ee91a4b39a6ac7cf3c9dbc34f  
2009.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
 602e5da1b10bbdd38ed65d1620821c83  
2009.1/x86_64/xmlsec1-1.2.10-8.1mdv2009.1.x86_64.rpm 
 b2c8957e3cf68dd729ed999b1a8df4d4  
2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm

 Mandriva Enterprise Server 5:
 0084106a2bc4b970f0469c23dc30084e  
mes5/i586/libxmlsec1-1-1.2.10-7.1mdvmes5.i586.rpm
 569d0ed58642f4eabcd9af1a3cb0402d  
mes5/i586/libxmlsec1-devel-1.2.10-7.1mdvmes5.i586.rpm
 9380b3121a2e489cdeff709fab033379  
mes5/i586/libxmlsec1-gnutls1-1.2.10-7.1mdvmes5.i586.rpm
 ddf6b63d02850e9e07b2f130a2a2d2e6  
mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.i586.rpm
 dbf22baa4022b6d6625fc75b7cbf4bab  
mes5/i586/libxmlsec1-nss1-1.2.10-7.1mdvmes5.i586.rpm
 69fd3bebdac3b66b2905c6c7a077a089  
mes5/i586/libxmlsec1-nss-devel-1.2.10-7.1mdvmes5.i586.rpm
 6f96e59feee66ecae20270df86aea965  
mes5/i586/libxmlsec1-openssl1-1.2.10-7.1mdvmes5.i586.rpm
 3613da5ca1c60d2ea16523804270013d  
mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdvmes5.i586.rpm
 6e3742296ac15407bb1012efd48d608d  mes5/i586/xmlsec1-1.2.10-7.1mdvmes5.i586.rpm 
 219a23cc35df25ca711a026647e13e3d  mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 a303d9680fca6ca97704d93e0a75fb03  
mes5/x86_64/lib64xmlsec1-1-1.2.10-7.1mdvmes5.x86_64.rpm
 8266c60eb8803dd449b382769aede1a2  
mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdvmes5.x86_64.rpm
 1f7f31d8c01ed6b7103e5518c22361e9  
mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdvmes5.x86_64.rpm
 914e15b7fc8b0fb27db816b8cdcd6b4b  
mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.x86_64.rpm
 779f85417bcc1dfcfd74816c8d45bf14  
mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdvmes5.x86_64.rpm
 5b3f264fbe31533d326c962c7da38880  
mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdvmes5.x86_64.rpm
 80b5562a1902d0ad3ec16cea6c9d2ee6  
mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdvmes5.x86_64.rpm
 96838c1c267b78f9244787016f4927a3  
mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdvmes5.x86_64.rpm
 cb87ad0ded731d499eab63c4808610c6  
mes5/x86_64/xmlsec1-1.2.10-7.1mdvmes5.x86_64.rpm 
 219a23cc35df25ca711a026647e13e3d  mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK0JCzmqjQ0CJFipgRAiQkAKCPMeiv6u4c8QtJ9Xa+pqmI37PbUQCg6NcS
Mt8oN+14QbOcaASD3mgoV7I=
=5IPi
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/