| |||||||||||||||||||
Mageia alert MGASA-2013-0193 (xml-security-c)
MGASA-2013-0193 - Updated xml-security-c package fixes multiple security vulnerabilities Publication date: 01 Jul 2013 URL: http://advisories.mageia.org/MGASA-2013-0193.html Type: security Affected Mageia releases: 2, 3 CVE: CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156, CVE-2013-2210 Description: The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content (CVE-2013-2153). A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2154). A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input (CVE-2013-2155). A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution (CVE-2013-2156). The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2210). References: - http://santuario.apache.org/secadv.html - http://www.debian.org/security/2013/dsa-2710 - https://bugs.mageia.org/show_bug.cgi?id=10563 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 SRPMS: - 3/core/xml-security-c-1.7.0-2.2.mga3 - 2/core/xml-security-c-1.6.1-1.2.mga2 (Log in to post comments)
|
|||||||||||||||||||