Mandriva Linux Security Advisory 2009-267 - A missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1 prior to 1.2.12. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification. This update fixes this vulnerability.
f7143c170e1b9f4aaddef63897e6ef985b74abe57270b1b7585b898c8eea1aea
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:267
http://www.mandriva.com/security/
_______________________________________________________________________
Package : xmlsec1
Date : October 10, 2009
Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in xmlsec1:
A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).
This update fixes this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://www.kb.cert.org/vuls/id/466161
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
388b774554e4872b7aa863c8c8d3597c 2008.1/i586/libxmlsec1-1-1.2.10-6.1mdv2008.1.i586.rpm
fb14b0f6a2f4fd24219e2452557751cc 2008.1/i586/libxmlsec1-devel-1.2.10-6.1mdv2008.1.i586.rpm
326ce38b3d0600524984eb130244935f 2008.1/i586/libxmlsec1-gnutls1-1.2.10-6.1mdv2008.1.i586.rpm
3a5069b48d3790f5387bf0b889c0b33e 2008.1/i586/libxmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.i586.rpm
eebce4a7e7013ff9e32b5d4f5b1eeb13 2008.1/i586/libxmlsec1-nss1-1.2.10-6.1mdv2008.1.i586.rpm
2a6ba4dd01ab9ea497bcff0f67538fb3 2008.1/i586/libxmlsec1-nss-devel-1.2.10-6.1mdv2008.1.i586.rpm
975bd585cabd4af6a33f83894105d546 2008.1/i586/libxmlsec1-openssl1-1.2.10-6.1mdv2008.1.i586.rpm
486748866cfd54a77dd7193c1125d9e2 2008.1/i586/libxmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.i586.rpm
47d546bca4d9eabbd6156e32651b1d75 2008.1/i586/xmlsec1-1.2.10-6.1mdv2008.1.i586.rpm
8eac3805b6f992c9203a66d5b35c3085 2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
7484ba0791bd8706b852c2ae187e8786 2008.1/x86_64/lib64xmlsec1-1-1.2.10-6.1mdv2008.1.x86_64.rpm
771e9bd35a2901a224435f6d99885014 2008.1/x86_64/lib64xmlsec1-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
4b94e2c01cb70e38d670f6d97ccc3082 2008.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-6.1mdv2008.1.x86_64.rpm
e94a47d77ebc1b9d25861e83d5b56686 2008.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
3cc3249f6da0b6d215a9b8b57f2b9b69 2008.1/x86_64/lib64xmlsec1-nss1-1.2.10-6.1mdv2008.1.x86_64.rpm
09ce0f59062744d8ee0129255b99e48c 2008.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
7cd72245babca168b5160c201b3650d0 2008.1/x86_64/lib64xmlsec1-openssl1-1.2.10-6.1mdv2008.1.x86_64.rpm
682073d947d961647cafb6bc80ad3206 2008.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.x86_64.rpm
90fddbd13802bf1cef89e4948063ada8 2008.1/x86_64/xmlsec1-1.2.10-6.1mdv2008.1.x86_64.rpm
8eac3805b6f992c9203a66d5b35c3085 2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
aef90b767a2e184dc2a2eec96cf2dd63 2009.0/i586/libxmlsec1-1-1.2.10-7.1mdv2009.0.i586.rpm
68ab430e0b63ec94f626168812909f5e 2009.0/i586/libxmlsec1-devel-1.2.10-7.1mdv2009.0.i586.rpm
932558e556911a0247fd96ca9af785d4 2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.1mdv2009.0.i586.rpm
a58e62c9234f4e3b2f6180b552348940 2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.i586.rpm
d377cfb8e2bc4ec3457d7133b1e35a84 2009.0/i586/libxmlsec1-nss1-1.2.10-7.1mdv2009.0.i586.rpm
839c04900e607dba7e2431f711191521 2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.1mdv2009.0.i586.rpm
7359aade4fce3137d90f1c4bca721f1d 2009.0/i586/libxmlsec1-openssl1-1.2.10-7.1mdv2009.0.i586.rpm
ba579a3d4cd326a1f055ef0943dbee73 2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.i586.rpm
82059801976d099e449944998126fda9 2009.0/i586/xmlsec1-1.2.10-7.1mdv2009.0.i586.rpm
c2cf86a3ea639e2d1241c8e129141353 2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
31c3d20e6b1d34a717772a4e439686c2 2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.1mdv2009.0.x86_64.rpm
c689e59d577bb5b278789c4118a7618c 2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
5b7b2e53969e052865edead9d0f715a7 2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdv2009.0.x86_64.rpm
02f857939f5450931ddf524d6d7c2300 2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
e16b2b9dd55c9e504fa5102665bda206 2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdv2009.0.x86_64.rpm
91cbad72b3fa2cbc600b9d5bb9dfeef4 2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
1a36234cb7159d784965e467c834097b 2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdv2009.0.x86_64.rpm
ebdc55d7854500a9bf383581a1244263 2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.x86_64.rpm
8e059fd0e03d31b24f051877646a42fa 2009.0/x86_64/xmlsec1-1.2.10-7.1mdv2009.0.x86_64.rpm
c2cf86a3ea639e2d1241c8e129141353 2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
463cbcb0217b1a3b38a8be50ee3f3c54 2009.1/i586/libxmlsec1-1-1.2.10-8.1mdv2009.1.i586.rpm
720e8f608efb57405b85c887190bd007 2009.1/i586/libxmlsec1-devel-1.2.10-8.1mdv2009.1.i586.rpm
e56b286a1a9ff2048e4161d1c6750ac7 2009.1/i586/libxmlsec1-gnutls1-1.2.10-8.1mdv2009.1.i586.rpm
ea3b894c699ed5cb3d250a2815363845 2009.1/i586/libxmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.i586.rpm
df6e7309597adeeec626f072ba9b10a1 2009.1/i586/libxmlsec1-nss1-1.2.10-8.1mdv2009.1.i586.rpm
bd7d8418b77dc58657a3e7b2278fc7bf 2009.1/i586/libxmlsec1-nss-devel-1.2.10-8.1mdv2009.1.i586.rpm
8f5b2f6b6191af698aef68c4c31b848f 2009.1/i586/libxmlsec1-openssl1-1.2.10-8.1mdv2009.1.i586.rpm
1f5f51ec2a562a9668508b7e8f1edf79 2009.1/i586/libxmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.i586.rpm
dda711479dc6ac367a72880900884118 2009.1/i586/xmlsec1-1.2.10-8.1mdv2009.1.i586.rpm
b2c8957e3cf68dd729ed999b1a8df4d4 2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
c54eade2b73fb50287f0bdc9c8f7b746 2009.1/x86_64/lib64xmlsec1-1-1.2.10-8.1mdv2009.1.x86_64.rpm
4a062d6f23f6136faaa56376be7f8459 2009.1/x86_64/lib64xmlsec1-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
56c33b45f3e24d4f397565dee1f72026 2009.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-8.1mdv2009.1.x86_64.rpm
1bd20c0d3045cef364c42c56cc7df6d1 2009.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
bf92e675998bc1fefcfe5cc3f5a569a0 2009.1/x86_64/lib64xmlsec1-nss1-1.2.10-8.1mdv2009.1.x86_64.rpm
168787927b24a7da78717d4c246685bd 2009.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
404498bd0f6e29dda4d556fdcce71e4a 2009.1/x86_64/lib64xmlsec1-openssl1-1.2.10-8.1mdv2009.1.x86_64.rpm
18058e3ee91a4b39a6ac7cf3c9dbc34f 2009.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.x86_64.rpm
602e5da1b10bbdd38ed65d1620821c83 2009.1/x86_64/xmlsec1-1.2.10-8.1mdv2009.1.x86_64.rpm
b2c8957e3cf68dd729ed999b1a8df4d4 2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm
Mandriva Enterprise Server 5:
0084106a2bc4b970f0469c23dc30084e mes5/i586/libxmlsec1-1-1.2.10-7.1mdvmes5.i586.rpm
569d0ed58642f4eabcd9af1a3cb0402d mes5/i586/libxmlsec1-devel-1.2.10-7.1mdvmes5.i586.rpm
9380b3121a2e489cdeff709fab033379 mes5/i586/libxmlsec1-gnutls1-1.2.10-7.1mdvmes5.i586.rpm
ddf6b63d02850e9e07b2f130a2a2d2e6 mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.i586.rpm
dbf22baa4022b6d6625fc75b7cbf4bab mes5/i586/libxmlsec1-nss1-1.2.10-7.1mdvmes5.i586.rpm
69fd3bebdac3b66b2905c6c7a077a089 mes5/i586/libxmlsec1-nss-devel-1.2.10-7.1mdvmes5.i586.rpm
6f96e59feee66ecae20270df86aea965 mes5/i586/libxmlsec1-openssl1-1.2.10-7.1mdvmes5.i586.rpm
3613da5ca1c60d2ea16523804270013d mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdvmes5.i586.rpm
6e3742296ac15407bb1012efd48d608d mes5/i586/xmlsec1-1.2.10-7.1mdvmes5.i586.rpm
219a23cc35df25ca711a026647e13e3d mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
a303d9680fca6ca97704d93e0a75fb03 mes5/x86_64/lib64xmlsec1-1-1.2.10-7.1mdvmes5.x86_64.rpm
8266c60eb8803dd449b382769aede1a2 mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdvmes5.x86_64.rpm
1f7f31d8c01ed6b7103e5518c22361e9 mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdvmes5.x86_64.rpm
914e15b7fc8b0fb27db816b8cdcd6b4b mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.x86_64.rpm
779f85417bcc1dfcfd74816c8d45bf14 mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdvmes5.x86_64.rpm
5b3f264fbe31533d326c962c7da38880 mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdvmes5.x86_64.rpm
80b5562a1902d0ad3ec16cea6c9d2ee6 mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdvmes5.x86_64.rpm
96838c1c267b78f9244787016f4927a3 mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdvmes5.x86_64.rpm
cb87ad0ded731d499eab63c4808610c6 mes5/x86_64/xmlsec1-1.2.10-7.1mdvmes5.x86_64.rpm
219a23cc35df25ca711a026647e13e3d mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFK0JCzmqjQ0CJFipgRAiQkAKCPMeiv6u4c8QtJ9Xa+pqmI37PbUQCg6NcS
Mt8oN+14QbOcaASD3mgoV7I=
=5IPi
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed