U radu programskog paketa xmlsec1 (eng. XML Security Library) otkriven je i ispravljen novi sigurnosni nedostatak. Riječ je o programskoj biblioteci koja pruža podršku za korištenje XML sigurnosnih standarda, a koja se temelji na LibXML2 i OpenSSL paketima. Propust je posljedica pogreške u datoteci "xslt.c". Udaljeni ga napadač može iskoristiti za stvaranje ili prepisivanje proizvoljnih datoteka. Svim se korisnicima ranjivog paketa, u svrhu zaštite, savjetuje instalacija novih programskih rješenja.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:063
http://www.mandriva.com/security/
_______________________________________________________________________
Package : xmlsec1
Date : April 4, 2011
Affected: 2009.0, 2010.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered and corrected in xmlsec1:
xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as
used in WebKit and other products, when XSLT is enabled, allows
remote attackers to create or overwrite arbitrary files via vectors
involving the libxslt output extension and a ds:Transform element
during signature verification (CVE-2011-1425).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
ab2caef2b723f8a627f4682e9b9b295c
2009.0/i586/libxmlsec1-1-1.2.10-7.3mdv2009.0.i586.rpm
a82fe9a2eb07213a40d5b062d0c5a230
2009.0/i586/libxmlsec1-devel-1.2.10-7.3mdv2009.0.i586.rpm
2cec5cb556b742bcc87d10a14ded022c
2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.3mdv2009.0.i586.rpm
7169d872a13bb5da168cad113ca3c9cb
2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.i586.rpm
d9c9fe192a991bb7937fce742acac213
2009.0/i586/libxmlsec1-nss1-1.2.10-7.3mdv2009.0.i586.rpm
c412b1cf110d47b6c9848a2718394e83
2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.3mdv2009.0.i586.rpm
fb3fcd72027a0c4707d185c03d7e6ffe
2009.0/i586/libxmlsec1-openssl1-1.2.10-7.3mdv2009.0.i586.rpm
ee2375b5ce6b80fb0a37f8a298df8ffc
2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.i586.rpm
45ec8c67b589d6874c265c316f0ef715
2009.0/i586/xmlsec1-1.2.10-7.3mdv2009.0.i586.rpm
00a18a237c5aee09d3de790df4ee8d0b
2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
ab200f5369469e19e89743b23a097764
2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.3mdv2009.0.x86_64.rpm
15eb2c4424a6d91b68f5caef8db2fdff
2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
ad73f2e06650f4b76b482a1bf7532eac
2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdv2009.0.x86_64.rpm
7c60997091a4214148c77d2d14c01a94
2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
22ac198274c38732b3f0a65e5814ffc7
2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdv2009.0.x86_64.rpm
ddb61026f298b57254192f25398498d6
2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
a965cb539117930426efb7b6dbf8553d
2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdv2009.0.x86_64.rpm
a2853268d49f512f660b0c85f32f3b98
2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.x86_64.rpm
cfcb56269c2b2e79ea2701839fa93090
2009.0/x86_64/xmlsec1-1.2.10-7.3mdv2009.0.x86_64.rpm
00a18a237c5aee09d3de790df4ee8d0b
2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm
Mandriva Linux 2010.0:
bdc91e075985a73525da8a27c50f3e4d
2010.0/i586/libxmlsec1-1-1.2.13-1.2mdv2010.0.i586.rpm
a8cf6ac42e0ae7df962f3b6e1abd0a27
2010.0/i586/libxmlsec1-devel-1.2.13-1.2mdv2010.0.i586.rpm
50e1f9b8c2b36781b5597c37756f0a27
2010.0/i586/libxmlsec1-gnutls1-1.2.13-1.2mdv2010.0.i586.rpm
94b518a20f8d6a99033be5c7fa9a561c
2010.0/i586/libxmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.i586.rpm
b5e93f5674d8b2065e64f2e53ba05605
2010.0/i586/libxmlsec1-nss1-1.2.13-1.2mdv2010.0.i586.rpm
880fe166f23413733c3c3c118d816387
2010.0/i586/libxmlsec1-nss-devel-1.2.13-1.2mdv2010.0.i586.rpm
21b46e66c6b78df3fbcd86064cf30e7c
2010.0/i586/libxmlsec1-openssl1-1.2.13-1.2mdv2010.0.i586.rpm
6620368f5cc3bcbb857b4a23eac3c8ca
2010.0/i586/libxmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.i586.rpm
c2ea73966298d29fdfdc34c7c2a2f1c2
2010.0/i586/xmlsec1-1.2.13-1.2mdv2010.0.i586.rpm
877a15d6552bedb5763df240f4d82d84
2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
a62d421d4fd1899fbba01309dbaf1896
2010.0/x86_64/lib64xmlsec1-1-1.2.13-1.2mdv2010.0.x86_64.rpm
2f537e7a96421519da35174c233ce595
2010.0/x86_64/lib64xmlsec1-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
7a8b160fe2e6034be36f6eae79085ace
2010.0/x86_64/lib64xmlsec1-gnutls1-1.2.13-1.2mdv2010.0.x86_64.rpm
0a6294fd609fc0852648a497a88483c0
2010.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
29db3a07cccce7ad181397aad0cc8d0d
2010.0/x86_64/lib64xmlsec1-nss1-1.2.13-1.2mdv2010.0.x86_64.rpm
fbbf15dc907548874aa56a0a60288c44
2010.0/x86_64/lib64xmlsec1-nss-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
91cde9b85b74ee50ca22063395776ad5
2010.0/x86_64/lib64xmlsec1-openssl1-1.2.13-1.2mdv2010.0.x86_64.rpm
48200b7dbaf54a0f3b773fe838bba047
2010.0/x86_64/lib64xmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.x86_64.rpm
959b3952c7246d48878bd70d51966a8e
2010.0/x86_64/xmlsec1-1.2.13-1.2mdv2010.0.x86_64.rpm
877a15d6552bedb5763df240f4d82d84
2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm
Mandriva Enterprise Server 5:
319b4ab924dbbbf82f4614d148f14804
mes5/i586/libxmlsec1-1-1.2.10-7.3mdvmes5.2.i586.rpm
9278a1efe02a044e5ff7a1a37ffa36d4
mes5/i586/libxmlsec1-devel-1.2.10-7.3mdvmes5.2.i586.rpm
cb993560c51e070393b7e2e0861900ff
mes5/i586/libxmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.i586.rpm
293f8773291935a45d76908db7825384
mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.i586.rpm
aab3eb1ab4455876a2339e9863fa7935
mes5/i586/libxmlsec1-nss1-1.2.10-7.3mdvmes5.2.i586.rpm
2ff66c74e00e7dd79d6037162dde87b8
mes5/i586/libxmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.i586.rpm
f2f5866fd188473eb74e33c5b78c2d9a
mes5/i586/libxmlsec1-openssl1-1.2.10-7.3mdvmes5.2.i586.rpm
c41b9570228f06d39b91d87a8538728c
mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.i586.rpm
308bc571cc766753f0c07a44ca80181c
mes5/i586/xmlsec1-1.2.10-7.3mdvmes5.2.i586.rpm
d07141a9abde87df9f330093acd2d59f
mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
327e47c32620609fd4245c32475938c7
mes5/x86_64/lib64xmlsec1-1-1.2.10-7.3mdvmes5.2.x86_64.rpm
033b408efc5436eb5d6e09a9582760a5
mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
814d8c33a387f72d855f7bfc250f74e3
mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.x86_64.rpm
2883ed21f25132b542780bd1dfccfb17
mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
3409c185fdbcb57c45a1883752ade7c3
mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdvmes5.2.x86_64.rpm
f781e2d050e0c19945c783dc86745e08
mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
cc9fc7fcd1d32d4877689486e424875e
mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdvmes5.2.x86_64.rpm
a5315ce478dda5fd0af55a1acf043288
mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm
1a153d8d6af32724260f029205cd0a54
mes5/x86_64/xmlsec1-1.2.10-7.3mdvmes5.2.x86_64.rpm
d07141a9abde87df9f330093acd2d59f
mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNmXaUmqjQ0CJFipgRAgs3AKCLIc162L+edW3LKFOx7G/U4GkynwCgpJ7j
SEMdD/0Sj9XbDDepzFsOW3o=
=Kuyv
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke