Your message dated Sat, 04 Jun 2011 14:00:32 +0000
with message-id <e1qsroy-0005md...@franck.debian.org>
and subject line Bug#620560: fixed in xmlsec1 1.2.14-1+squeeze1
has caused the Debian Bug report #620560,
regarding xmlsec security issue: arbitrary file overwriting CVE-2011-1425
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
620560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xmlsec1
Severity: serious
Tags: security
Hi,
A new version of xmlsec has been released which fixes a security issue:
"When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element."
See attached announcement email.
Cheers,
Thijs
--- Begin Message ---
The new XML Security Library 1.2.17 release available at
the usual place:
http://www.aleksey.com/xmlsec/download.html
This release includes a fix for an important security issue
with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire):
When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element.
It is strongly recommended to upgrade to the new version of XML
Security Library as soon as possible. If the upgrade can not be
performed, you can do one of the following:
- Explicitly call xsltNewSecurityPrefs() in your application and
forbid any access to file system as it is done in the following
commits:
http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780
http://trac.webkit.org/changeset/79159
- Recompile xmlsec library with disabled xslt support using
./configure --without-libxslt command
- Disable XSLT transform if it is not used (see enabledUris field
in struct xmlSecTransformCtx)
Thanks to everyone for the contribution, patches and bug reports!
Aleksey Sanin
_______________________________________________
xmlsec mailing list
xml...@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
--- End Message ---
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: xmlsec1
Source-Version: 1.2.14-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:
libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
to main/x/xmlsec1/libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
to main/x/xmlsec1/libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
to main/x/xmlsec1/libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
to main/x/xmlsec1/libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
libxmlsec1_1.2.14-1+squeeze1_amd64.deb
to main/x/xmlsec1/libxmlsec1_1.2.14-1+squeeze1_amd64.deb
xmlsec1_1.2.14-1+squeeze1.diff.gz
to main/x/xmlsec1/xmlsec1_1.2.14-1+squeeze1.diff.gz
xmlsec1_1.2.14-1+squeeze1.dsc
to main/x/xmlsec1/xmlsec1_1.2.14-1+squeeze1.dsc
xmlsec1_1.2.14-1+squeeze1_amd64.deb
to main/x/xmlsec1/xmlsec1_1.2.14-1+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 620...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated xmlsec1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 13 Apr 2011 08:23:07 +0200
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls
libxmlsec1-nss xmlsec1
Architecture: source amd64
Version: 1.2.14-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: John V. Belmonte <jbelmo...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
libxmlsec1 - XML security library
libxmlsec1-dev - Development files for the XML security library
libxmlsec1-gnutls - Gnutls engine for the XML security library
libxmlsec1-nss - Nss engine for the XML security library
libxmlsec1-openssl - Openssl engine for the XML security library
xmlsec1 - XML security command line processor
Closes: 620560
Changes:
xmlsec1 (1.2.14-1+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply patch from upstream addressing arbitrary file overwrite
(CVE-2011-1425, closes: #620560).
Checksums-Sha1:
4bedfffe1d83268932b5ab1e4231bbbd421ef08f 1563 xmlsec1_1.2.14-1+squeeze1.dsc
8f949ae74a6d66278a595bd063f13e0ad196d14a 1652670 xmlsec1_1.2.14.orig.tar.gz
7b341af5f6fd7f8a12657cacc30395c68dc50030 5946 xmlsec1_1.2.14-1+squeeze1.diff.gz
76a3d8dd1762e9c52d9be564d2a8b90b5b34e466 877534
libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
de56887396f18c08840c2c0739c882c70a9faeb6 163868
libxmlsec1_1.2.14-1+squeeze1_amd64.deb
d7ffefa49af300c84d1aa6189396a7b48f7bda07 100844
libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
1ca28d5f3e1eac6ad2e13d478f69f53ffb529105 41276
libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
ab07f67f0fe3e5b3fa99a0dbb2ce75151f38e73a 92754
libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
07c2e03166621a83ee00ab033e5d23b460dfce79 45338
xmlsec1_1.2.14-1+squeeze1_amd64.deb
Checksums-Sha256:
d6f1d49a66e99eb4a1d8524952a4dc4934e9d89a19b1e726546693c5c7008dfd 1563
xmlsec1_1.2.14-1+squeeze1.dsc
390a5085651828b8fe12aa978b200f59b9155eedbb91a4be89bf7cf39eefdd4a 1652670
xmlsec1_1.2.14.orig.tar.gz
a032576b2ebadfd4d67a5a0dd76f2e8a54766546be1e95c3b91380cf43f4a038 5946
xmlsec1_1.2.14-1+squeeze1.diff.gz
14ad05ea0cad9a6dee349ff3bfb71684ed9cdd0d9f24519bb8d5cf3ab2474e40 877534
libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
8dd9939b766f475e9a81bc5f032aae733fbbff90aad5b29abb15361b644415cf 163868
libxmlsec1_1.2.14-1+squeeze1_amd64.deb
a60a4476a3f33878169350a54ff004dd33ab6c9d9d02034096ebf80ffd572053 100844
libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
c35030e95ab02c52d20adb0d13303e1078b1e33dc23e1486cdc488c14a64ee05 41276
libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
68e5ceabc3f8171f2810a6221ade238486136ec7d6e3f9013f09dc40db0dbfa8 92754
libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
83f0689fae69a558017aa3452c20240757ee91888efe5ff75daba4d4d573d957 45338
xmlsec1_1.2.14-1+squeeze1_amd64.deb
Files:
fb8f8269cfe5802a11aa71622852fbd4 1563 text optional
xmlsec1_1.2.14-1+squeeze1.dsc
1f24ab1d39f4a51faf22244c94a6203f 1652670 text optional
xmlsec1_1.2.14.orig.tar.gz
02f73ed6f0a7069f177724d60471c963 5946 text optional
xmlsec1_1.2.14-1+squeeze1.diff.gz
b76adaff3287d93c3b36eeab64fa2ea1 877534 libdevel optional
libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
1187e5e8f7032f1c87377bed5b615434 163868 libs optional
libxmlsec1_1.2.14-1+squeeze1_amd64.deb
071d5074847ab284cab9ebe43d2e2daa 100844 libs optional
libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
eb3f7849bbc453082d34d2daf3858e14 41276 libs optional
libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
8c72d142f310cc914e7ac5a2d3dc3b60 92754 libs optional
libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
96b9c501a5a90575773cc49c08aa41f2 45338 text optional
xmlsec1_1.2.14-1+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJNpUOvAAoJEOxfUAG2iX57zMQH/35jsiv9qfVV+6DROWovWnBD
g5c+Bh5JzdIktLjuY0XnkFTGhLK9315awR2hXjWjYPMSmPdPS86nLZMoO2gVynWm
TBJfk2ueDrxg7CUlEpO6TFG/OdhihD31GPl7kRnDAffn7wKnSfdWv8lpKIVovawO
llvhScSfojzvFVaWC9kkqvFJV6WjPLKQ/HfDERHMq/1uO53q0cTKW64yAAMy8n4M
45Xij2VgIvMA4rMG69Ps1Oosg7rWW/4v3yTPNowr+Am72j373Ht5x/9MQNzrupuV
KBcQTrakyXspYa77Ry6+nNiSD2ipQmGWxOujMrN4SqnNef0sIpV+MDzb6G3SN0A=
=tJ58
-----END PGP SIGNATURE-----
--- End Message ---
