[Full-disclosure] [ MDVSA-2009:318 ] xmlsec1




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:318
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xmlsec1
Date : December 5, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in xmlsec1:

A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).

All versions of libtool prior to 2.2.6b suffers from a local
privilege escalation vulnerability that could be exploited under
certain conditions to load arbitrary code (CVE-2009-3736).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update fixes this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://www.kb.cert.org/vuls/id/466161
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
b74d614ed793451440ea18c7aab434ee 2008.0/i586/libxmlsec1-1-1.2.10-5.1mdv2008.0.i586.rpm
34cc1274710d3c2013ff4c1222d0349d 2008.0/i586/libxmlsec1-devel-1.2.10-5.1mdv2008.0.i586.rpm
88b378d43d3ba44bad7d47c1eb5d6c5c 2008.0/i586/libxmlsec1-gnutls1-1.2.10-5.1mdv2008.0.i586.rpm
7c7e766ab3886c57d1519b83b4b06af8 2008.0/i586/libxmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.i586.rpm
712c732bc8ff6050fdc6dd108623e63a 2008.0/i586/libxmlsec1-nss1-1.2.10-5.1mdv2008.0.i586.rpm
bed9636e852f4c90cd9a5891fb9395ea 2008.0/i586/libxmlsec1-nss-devel-1.2.10-5.1mdv2008.0.i586.rpm
3e6940d49ffc024240b7116250d1f770 2008.0/i586/libxmlsec1-openssl1-1.2.10-5.1mdv2008.0.i586.rpm
cb8d177f72966ff06a9a1e08f8c48dbe 2008.0/i586/libxmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.i586.rpm
38ae0ed435d6e5133530d5af4a33883a 2008.0/i586/xmlsec1-1.2.10-5.1mdv2008.0.i586.rpm
bf47e5312113b150bdcce2634254b555 2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
2f16be60c636cc6d286258b7d331f52b 2008.0/x86_64/lib64xmlsec1-1-1.2.10-5.1mdv2008.0.x86_64.rpm
dcbfa0192a2a1ed72d9b4f7fc4c31c7f 2008.0/x86_64/lib64xmlsec1-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
b7d5a923126d4ab43b9c9868aed26803 2008.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-5.1mdv2008.0.x86_64.rpm
041a56825a59f497dce1085bc0fcf717 2008.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
5f70fda9524faee1b86e14e7b092e426 2008.0/x86_64/lib64xmlsec1-nss1-1.2.10-5.1mdv2008.0.x86_64.rpm
63c4b923f7cf4bb46e06d966a880ef6c 2008.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
62174f73e2d333da65befa79cd85c1ad 2008.0/x86_64/lib64xmlsec1-openssl1-1.2.10-5.1mdv2008.0.x86_64.rpm
6439cacc0520e43b8280758a4a91b042 2008.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
e4db63bda5a32757a17be8d4dcd31639 2008.0/x86_64/xmlsec1-1.2.10-5.1mdv2008.0.x86_64.rpm
bf47e5312113b150bdcce2634254b555 2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGm8VmqjQ0CJFipgRAoJbAJ42kcAyU+o1vyhTG3qRCkeqdZrZVwCghcOr
q34YlWPMSVOFL9sx5T0/mA4=
=WFZU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/