Pardus alert 2011-73 (xmlsec)
| From: | Meltem Parmaksız <meltem@pardus.org.tr> | |
| To: | pardus-security@pardus.org.tr | |
| Subject: | [Pardus-security] [PLSA 2011-73] xmlsec: Create Arbitrary File | |
| Date: | Tue, 3 May 2011 14:13:48 +0300 | |
| Message-ID: | <201105031413.48982.meltem@pardus.org.tr> |
------------------------------------------------------------------------ Pardus Linux Security Advisory 2011-73 security@pardus.org.tr ------------------------------------------------------------------------ Date: 2011-05-03 Type: Remote ------------------------------------------------------------------------ Summary ======= A vulnerability has been fixed in xmlsec, which allows remote attackers to create or overwrite arbitrary files. Description =========== CVE-2011-1425: xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification. Affected packages: Pardus 2009: xmlsec, all before 1.2.17-6-2 Pardus 2011: xmlsec1, all before 1.2.17-7-p11 xmlsec1-devel, all before 1.2.17-7-p11 Resolution ========== There are update(s) for xmlsec, xmlsec1, xmlsec1-devel. You can update them via Package Manager or with a single command from console: Pardus 2009: pisi up xmlsec Pardus 2011: pisi up xmlsec1 xmlsec1-devel References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=17684 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425 ------------------------------------------------------------------------ _______________________________________________ Pardus-Security mailing list Pardus-Security@pardus.org.tr http://liste.pardus.org.tr/mailman/listinfo/pardus-security