(RHSA-2011:0486) Moderate: xmlsec1 security and bug fix update

2011-05-0400:00:00

access.redhat.com

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.012 Low

EPSS

Percentile

83.9%

JSON

The XML Security Library is a C library based on libxml2 and OpenSSL that
implements the XML Digital Signature and XML Encryption standards.

A flaw was found in the way xmlsec1 handled XML files that contain an XSLT
transformation specification. A specially-crafted XML file could cause
xmlsec1 to create or overwrite an arbitrary file while performing the
verification of a file’s digital signature. (CVE-2011-1425)

Red Hat would like to thank Nicolas Gregoire and Aleksey Sanin for
reporting this issue.

This update also fixes the following bug:

xmlsec1 previously used an incorrect search path when searching for
crypto plug-in libraries, possibly trying to access such libraries using a
relative path. (BZ#558480, BZ#700467)

Users of xmlsec1 should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the update,
all running applications that use the xmlsec1 library must be restarted for
the update to take effect.

OSVersionArchitecturePackageVersionFilename
RedHatanyi386xmlsec1-nss< 1.2.9-8.1.2xmlsec1-nss-1.2.9-8.1.2.i386.rpm
RedHatanys390xxmlsec1-gnutls-devel< 1.2.9-8.1.2xmlsec1-gnutls-devel-1.2.9-8.1.2.s390x.rpm
RedHatanys390xxmlsec1< 1.2.6-3.2xmlsec1-1.2.6-3.2.s390x.rpm
RedHatanyia64xmlsec1-openssl< 1.2.6-3.2xmlsec1-openssl-1.2.6-3.2.ia64.rpm
RedHatanys390xmlsec1-gnutls< 1.2.9-8.1.2xmlsec1-gnutls-1.2.9-8.1.2.s390.rpm
RedHatanyia64xmlsec1-devel< 1.2.9-8.1.2xmlsec1-devel-1.2.9-8.1.2.ia64.rpm
RedHatanyi386xmlsec1-devel< 1.2.6-3.2xmlsec1-devel-1.2.6-3.2.i386.rpm
RedHatanyia64xmlsec1-gnutls-devel< 1.2.9-8.1.2xmlsec1-gnutls-devel-1.2.9-8.1.2.ia64.rpm
RedHatanyppcxmlsec1-openssl-devel< 1.2.6-3.2xmlsec1-openssl-devel-1.2.6-3.2.ppc.rpm
RedHatanyppc64xmlsec1-nss< 1.2.9-8.1.2xmlsec1-nss-1.2.9-8.1.2.ppc64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	any	i386	xmlsec1-nss	< 1.2.9-8.1.2	xmlsec1-nss-1.2.9-8.1.2.i386.rpm
RedHat	any	s390x	xmlsec1-gnutls-devel	< 1.2.9-8.1.2	xmlsec1-gnutls-devel-1.2.9-8.1.2.s390x.rpm
RedHat	any	s390x	xmlsec1	< 1.2.6-3.2	xmlsec1-1.2.6-3.2.s390x.rpm
RedHat	any	ia64	xmlsec1-openssl	< 1.2.6-3.2	xmlsec1-openssl-1.2.6-3.2.ia64.rpm
RedHat	any	s390	xmlsec1-gnutls	< 1.2.9-8.1.2	xmlsec1-gnutls-1.2.9-8.1.2.s390.rpm
RedHat	any	ia64	xmlsec1-devel	< 1.2.9-8.1.2	xmlsec1-devel-1.2.9-8.1.2.ia64.rpm
RedHat	any	i386	xmlsec1-devel	< 1.2.6-3.2	xmlsec1-devel-1.2.6-3.2.i386.rpm
RedHat	any	ia64	xmlsec1-gnutls-devel	< 1.2.9-8.1.2	xmlsec1-gnutls-devel-1.2.9-8.1.2.ia64.rpm
RedHat	any	ppc	xmlsec1-openssl-devel	< 1.2.6-3.2	xmlsec1-openssl-devel-1.2.6-3.2.ppc.rpm
RedHat	any	ppc64	xmlsec1-nss	< 1.2.9-8.1.2	xmlsec1-nss-1.2.9-8.1.2.ppc64.rpm