-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:267 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xmlsec1 Date : October 10, 2009 Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in xmlsec1: A missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1 prior to 1.2.12. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification (CVE-2009-0217). This update fixes this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217 http://www.kb.cert.org/vuls/id/466161 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 388b774554e4872b7aa863c8c8d3597c 2008.1/i586/libxmlsec1-1-1.2.10-6.1mdv2008.1.i586.rpm fb14b0f6a2f4fd24219e2452557751cc 2008.1/i586/libxmlsec1-devel-1.2.10-6.1mdv2008.1.i586.rpm 326ce38b3d0600524984eb130244935f 2008.1/i586/libxmlsec1-gnutls1-1.2.10-6.1mdv2008.1.i586.rpm 3a5069b48d3790f5387bf0b889c0b33e 2008.1/i586/libxmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.i586.rpm eebce4a7e7013ff9e32b5d4f5b1eeb13 2008.1/i586/libxmlsec1-nss1-1.2.10-6.1mdv2008.1.i586.rpm 2a6ba4dd01ab9ea497bcff0f67538fb3 2008.1/i586/libxmlsec1-nss-devel-1.2.10-6.1mdv2008.1.i586.rpm 975bd585cabd4af6a33f83894105d546 2008.1/i586/libxmlsec1-openssl1-1.2.10-6.1mdv2008.1.i586.rpm 486748866cfd54a77dd7193c1125d9e2 2008.1/i586/libxmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.i586.rpm 47d546bca4d9eabbd6156e32651b1d75 2008.1/i586/xmlsec1-1.2.10-6.1mdv2008.1.i586.rpm 8eac3805b6f992c9203a66d5b35c3085 2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 7484ba0791bd8706b852c2ae187e8786 2008.1/x86_64/lib64xmlsec1-1-1.2.10-6.1mdv2008.1.x86_64.rpm 771e9bd35a2901a224435f6d99885014 2008.1/x86_64/lib64xmlsec1-devel-1.2.10-6.1mdv2008.1.x86_64.rpm 4b94e2c01cb70e38d670f6d97ccc3082 2008.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-6.1mdv2008.1.x86_64.rpm e94a47d77ebc1b9d25861e83d5b56686 2008.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-6.1mdv2008.1.x86_64.rpm 3cc3249f6da0b6d215a9b8b57f2b9b69 2008.1/x86_64/lib64xmlsec1-nss1-1.2.10-6.1mdv2008.1.x86_64.rpm 09ce0f59062744d8ee0129255b99e48c 2008.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-6.1mdv2008.1.x86_64.rpm 7cd72245babca168b5160c201b3650d0 2008.1/x86_64/lib64xmlsec1-openssl1-1.2.10-6.1mdv2008.1.x86_64.rpm 682073d947d961647cafb6bc80ad3206 2008.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-6.1mdv2008.1.x86_64.rpm 90fddbd13802bf1cef89e4948063ada8 2008.1/x86_64/xmlsec1-1.2.10-6.1mdv2008.1.x86_64.rpm 8eac3805b6f992c9203a66d5b35c3085 2008.1/SRPMS/xmlsec1-1.2.10-6.1mdv2008.1.src.rpm Mandriva Linux 2009.0: aef90b767a2e184dc2a2eec96cf2dd63 2009.0/i586/libxmlsec1-1-1.2.10-7.1mdv2009.0.i586.rpm 68ab430e0b63ec94f626168812909f5e 2009.0/i586/libxmlsec1-devel-1.2.10-7.1mdv2009.0.i586.rpm 932558e556911a0247fd96ca9af785d4 2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.1mdv2009.0.i586.rpm a58e62c9234f4e3b2f6180b552348940 2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.i586.rpm d377cfb8e2bc4ec3457d7133b1e35a84 2009.0/i586/libxmlsec1-nss1-1.2.10-7.1mdv2009.0.i586.rpm 839c04900e607dba7e2431f711191521 2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.1mdv2009.0.i586.rpm 7359aade4fce3137d90f1c4bca721f1d 2009.0/i586/libxmlsec1-openssl1-1.2.10-7.1mdv2009.0.i586.rpm ba579a3d4cd326a1f055ef0943dbee73 2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.i586.rpm 82059801976d099e449944998126fda9 2009.0/i586/xmlsec1-1.2.10-7.1mdv2009.0.i586.rpm c2cf86a3ea639e2d1241c8e129141353 2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 31c3d20e6b1d34a717772a4e439686c2 2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.1mdv2009.0.x86_64.rpm c689e59d577bb5b278789c4118a7618c 2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdv2009.0.x86_64.rpm 5b7b2e53969e052865edead9d0f715a7 2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdv2009.0.x86_64.rpm 02f857939f5450931ddf524d6d7c2300 2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdv2009.0.x86_64.rpm e16b2b9dd55c9e504fa5102665bda206 2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdv2009.0.x86_64.rpm 91cbad72b3fa2cbc600b9d5bb9dfeef4 2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdv2009.0.x86_64.rpm 1a36234cb7159d784965e467c834097b 2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdv2009.0.x86_64.rpm ebdc55d7854500a9bf383581a1244263 2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdv2009.0.x86_64.rpm 8e059fd0e03d31b24f051877646a42fa 2009.0/x86_64/xmlsec1-1.2.10-7.1mdv2009.0.x86_64.rpm c2cf86a3ea639e2d1241c8e129141353 2009.0/SRPMS/xmlsec1-1.2.10-7.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 463cbcb0217b1a3b38a8be50ee3f3c54 2009.1/i586/libxmlsec1-1-1.2.10-8.1mdv2009.1.i586.rpm 720e8f608efb57405b85c887190bd007 2009.1/i586/libxmlsec1-devel-1.2.10-8.1mdv2009.1.i586.rpm e56b286a1a9ff2048e4161d1c6750ac7 2009.1/i586/libxmlsec1-gnutls1-1.2.10-8.1mdv2009.1.i586.rpm ea3b894c699ed5cb3d250a2815363845 2009.1/i586/libxmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.i586.rpm df6e7309597adeeec626f072ba9b10a1 2009.1/i586/libxmlsec1-nss1-1.2.10-8.1mdv2009.1.i586.rpm bd7d8418b77dc58657a3e7b2278fc7bf 2009.1/i586/libxmlsec1-nss-devel-1.2.10-8.1mdv2009.1.i586.rpm 8f5b2f6b6191af698aef68c4c31b848f 2009.1/i586/libxmlsec1-openssl1-1.2.10-8.1mdv2009.1.i586.rpm 1f5f51ec2a562a9668508b7e8f1edf79 2009.1/i586/libxmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.i586.rpm dda711479dc6ac367a72880900884118 2009.1/i586/xmlsec1-1.2.10-8.1mdv2009.1.i586.rpm b2c8957e3cf68dd729ed999b1a8df4d4 2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: c54eade2b73fb50287f0bdc9c8f7b746 2009.1/x86_64/lib64xmlsec1-1-1.2.10-8.1mdv2009.1.x86_64.rpm 4a062d6f23f6136faaa56376be7f8459 2009.1/x86_64/lib64xmlsec1-devel-1.2.10-8.1mdv2009.1.x86_64.rpm 56c33b45f3e24d4f397565dee1f72026 2009.1/x86_64/lib64xmlsec1-gnutls1-1.2.10-8.1mdv2009.1.x86_64.rpm 1bd20c0d3045cef364c42c56cc7df6d1 2009.1/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-8.1mdv2009.1.x86_64.rpm bf92e675998bc1fefcfe5cc3f5a569a0 2009.1/x86_64/lib64xmlsec1-nss1-1.2.10-8.1mdv2009.1.x86_64.rpm 168787927b24a7da78717d4c246685bd 2009.1/x86_64/lib64xmlsec1-nss-devel-1.2.10-8.1mdv2009.1.x86_64.rpm 404498bd0f6e29dda4d556fdcce71e4a 2009.1/x86_64/lib64xmlsec1-openssl1-1.2.10-8.1mdv2009.1.x86_64.rpm 18058e3ee91a4b39a6ac7cf3c9dbc34f 2009.1/x86_64/lib64xmlsec1-openssl-devel-1.2.10-8.1mdv2009.1.x86_64.rpm 602e5da1b10bbdd38ed65d1620821c83 2009.1/x86_64/xmlsec1-1.2.10-8.1mdv2009.1.x86_64.rpm b2c8957e3cf68dd729ed999b1a8df4d4 2009.1/SRPMS/xmlsec1-1.2.10-8.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 0084106a2bc4b970f0469c23dc30084e mes5/i586/libxmlsec1-1-1.2.10-7.1mdvmes5.i586.rpm 569d0ed58642f4eabcd9af1a3cb0402d mes5/i586/libxmlsec1-devel-1.2.10-7.1mdvmes5.i586.rpm 9380b3121a2e489cdeff709fab033379 mes5/i586/libxmlsec1-gnutls1-1.2.10-7.1mdvmes5.i586.rpm ddf6b63d02850e9e07b2f130a2a2d2e6 mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.i586.rpm dbf22baa4022b6d6625fc75b7cbf4bab mes5/i586/libxmlsec1-nss1-1.2.10-7.1mdvmes5.i586.rpm 69fd3bebdac3b66b2905c6c7a077a089 mes5/i586/libxmlsec1-nss-devel-1.2.10-7.1mdvmes5.i586.rpm 6f96e59feee66ecae20270df86aea965 mes5/i586/libxmlsec1-openssl1-1.2.10-7.1mdvmes5.i586.rpm 3613da5ca1c60d2ea16523804270013d mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.1mdvmes5.i586.rpm 6e3742296ac15407bb1012efd48d608d mes5/i586/xmlsec1-1.2.10-7.1mdvmes5.i586.rpm 219a23cc35df25ca711a026647e13e3d mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: a303d9680fca6ca97704d93e0a75fb03 mes5/x86_64/lib64xmlsec1-1-1.2.10-7.1mdvmes5.x86_64.rpm 8266c60eb8803dd449b382769aede1a2 mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.1mdvmes5.x86_64.rpm 1f7f31d8c01ed6b7103e5518c22361e9 mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.1mdvmes5.x86_64.rpm 914e15b7fc8b0fb27db816b8cdcd6b4b mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.1mdvmes5.x86_64.rpm 779f85417bcc1dfcfd74816c8d45bf14 mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.1mdvmes5.x86_64.rpm 5b3f264fbe31533d326c962c7da38880 mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.1mdvmes5.x86_64.rpm 80b5562a1902d0ad3ec16cea6c9d2ee6 mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.1mdvmes5.x86_64.rpm 96838c1c267b78f9244787016f4927a3 mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.1mdvmes5.x86_64.rpm cb87ad0ded731d499eab63c4808610c6 mes5/x86_64/xmlsec1-1.2.10-7.1mdvmes5.x86_64.rpm 219a23cc35df25ca711a026647e13e3d mes5/SRPMS/xmlsec1-1.2.10-7.1mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK0JCzmqjQ0CJFipgRAiQkAKCPMeiv6u4c8QtJ9Xa+pqmI37PbUQCg6NcS Mt8oN+14QbOcaASD3mgoV7I= =5IPi -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/