-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2710-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
June 18, 2013                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xml-security-c
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2013-2153 CVE-2013-2154 CVE-2013-2155 CVE-2013-2156

James Forshaw from Context Information Security discovered several
vulnerabilities in xml-security-c, an implementation of the XML Digital
Security specification. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2013-2153

    The implementation of XML digital signatures in the Santuario-C++
    library is vulnerable to a spoofing issue allowing an attacker to
    reuse existing signatures with arbitrary content.

CVE-2013-2154

    A stack overflow, possibly leading to arbitrary code execution,
    exists in the processing of malformed XPointer expressions in the
    XML Signature Reference processing code.

CVE-2013-2155

    A bug in the processing of the output length of an HMAC-based XML
    Signature would cause a denial of service when processing specially
    chosen input.

CVE-2013-2156

    A heap overflow exists in the processing of the PrefixList attribute
    optionally used in conjunction with Exclusive Canonicalization,
    potentially allowing arbitary code execution.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.5.1-3+squeeze2.

For the stable distribution (wheezy), these problems have been fixed in
version 1.6.1-5+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.6.1-6.

We recommend that you upgrade your xml-security-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRwHydAAoJEHidbwV/2GP+4yoP/Rnk79Cvk1G7JKQXvnwyaRWm
rXg8dxNz2RihzscmdS5t7EdZem3Xp1vAdVzgXlQK9Ll8DbqtMXgvM3/CburBHtn5
2CXJyryJ5YtK9758JQLjjE5zS74AWMgEUFcu5zBjAC9BX5XWRVRa67yovi8xsync
sDiQTsVPSe8IWJ1N2Le70qA/2Bmzf7E+EPYig8kEFa3dEb3+KJ2d2e/mJbexv0CJ
FNZTVyHRD2Q/kiB74IUyUBuuyw1gMAj+tdEmucdMgzAU6dBvoP+p5/uLXWoeTez6
X0TJqglbMPSod1LQrMdd4kzo5LZ8P1EjS2S7I6oq5n4kUcw4WLrSmxCDMXci52um
WwFk8r4LdnXYDaBeuNtO0Z0TeJ3YaFuoOMzZadVgqqU7TX6DzOYC1q+dj0TxYXjD
2Fxu8/18mU9qO4oADVkk/OpsLday4br+HOvzAJXfySh65sLP39PyYeDMZp+BAJ4S
Z2enVfaVz7p/oBardDElD5E1qiLo+tC8meFwJ7yJhwJuzOh9qYDjCa0dXD1ZcYso
vqAxnnW4RTerY4dpvsFuZCcKcDzfh3Pf4M2MkBiJ8ZHw6t1BAjOPb7XcSYzmmoEu
s2L+yhZrxd5iDjMZ1SwOhds5k/rg7sIibi0HZgtjmm/CRxLhMDDl6iqJEHv7jB/x
/6laY6ryAuw5RTWhC6Ae
=jPyl
-----END PGP SIGNATURE-----