what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-318

Mandriva Linux Security Advisory 2009-318
Posted Dec 7, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-318 - Multiple security vulnerabilities has been identified and fixed A missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1 prior to 1.2.12. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification. All versions of libtool prior to 2.2.6b suffers from a local privilege escalation vulnerability that could be exploited under certain conditions to load arbitrary code. Packages for 2008.0 are being provided due to extended support for Corporate products. This update fixes this vulnerability.

tags | advisory, arbitrary, local, vulnerability
systems | linux, mandriva
advisories | CVE-2009-0217, CVE-2009-3736
SHA-256 | 57180189922a60fc6fb2be31e076999decbc3545b198b5eaa2ef09248026f28a

Mandriva Linux Security Advisory 2009-318

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:318
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xmlsec1
Date : December 5, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in xmlsec1:

A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).

All versions of libtool prior to 2.2.6b suffers from a local
privilege escalation vulnerability that could be exploited under
certain conditions to load arbitrary code (CVE-2009-3736).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update fixes this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://www.kb.cert.org/vuls/id/466161
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
b74d614ed793451440ea18c7aab434ee 2008.0/i586/libxmlsec1-1-1.2.10-5.1mdv2008.0.i586.rpm
34cc1274710d3c2013ff4c1222d0349d 2008.0/i586/libxmlsec1-devel-1.2.10-5.1mdv2008.0.i586.rpm
88b378d43d3ba44bad7d47c1eb5d6c5c 2008.0/i586/libxmlsec1-gnutls1-1.2.10-5.1mdv2008.0.i586.rpm
7c7e766ab3886c57d1519b83b4b06af8 2008.0/i586/libxmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.i586.rpm
712c732bc8ff6050fdc6dd108623e63a 2008.0/i586/libxmlsec1-nss1-1.2.10-5.1mdv2008.0.i586.rpm
bed9636e852f4c90cd9a5891fb9395ea 2008.0/i586/libxmlsec1-nss-devel-1.2.10-5.1mdv2008.0.i586.rpm
3e6940d49ffc024240b7116250d1f770 2008.0/i586/libxmlsec1-openssl1-1.2.10-5.1mdv2008.0.i586.rpm
cb8d177f72966ff06a9a1e08f8c48dbe 2008.0/i586/libxmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.i586.rpm
38ae0ed435d6e5133530d5af4a33883a 2008.0/i586/xmlsec1-1.2.10-5.1mdv2008.0.i586.rpm
bf47e5312113b150bdcce2634254b555 2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
2f16be60c636cc6d286258b7d331f52b 2008.0/x86_64/lib64xmlsec1-1-1.2.10-5.1mdv2008.0.x86_64.rpm
dcbfa0192a2a1ed72d9b4f7fc4c31c7f 2008.0/x86_64/lib64xmlsec1-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
b7d5a923126d4ab43b9c9868aed26803 2008.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-5.1mdv2008.0.x86_64.rpm
041a56825a59f497dce1085bc0fcf717 2008.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
5f70fda9524faee1b86e14e7b092e426 2008.0/x86_64/lib64xmlsec1-nss1-1.2.10-5.1mdv2008.0.x86_64.rpm
63c4b923f7cf4bb46e06d966a880ef6c 2008.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
62174f73e2d333da65befa79cd85c1ad 2008.0/x86_64/lib64xmlsec1-openssl1-1.2.10-5.1mdv2008.0.x86_64.rpm
6439cacc0520e43b8280758a4a91b042 2008.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
e4db63bda5a32757a17be8d4dcd31639 2008.0/x86_64/xmlsec1-1.2.10-5.1mdv2008.0.x86_64.rpm
bf47e5312113b150bdcce2634254b555 2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGm8VmqjQ0CJFipgRAoJbAJ42kcAyU+o1vyhTG3qRCkeqdZrZVwCghcOr
q34YlWPMSVOFL9sx5T0/mA4=
=WFZU
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close