/[advisories]/10563.adv
ViewVC logotype

Annotation of /10563.adv

Parent Directory Parent Directory | Revision Log Revision Log


Revision 103 - (hide annotations) (download)
Thu Jun 27 15:47:49 2013 UTC (7 years, 9 months ago) by claire
File size: 1500 byte(s)
Adding sec advisory for xml-security-c mga#10563
1 claire 103 type: security
2     subject: Updated xml-security-c package fixes multiple security vulnerabilities
3     CVE:
4     - CVE-2013-2153
5     - CVE-2013-2154
6     - CVE-2013-2155
7     - CVE-2013-2156
8     - CVE-2013-2210
9     src:
10     2:
11     core:
12     - xml-security-c-1.6.1-1.2.mga2
13     3:
14     core:
15     - xml-security-c-1.7.0-2.2.mga3
16     description: |
17     The implementation of XML digital signatures in the Santuario-C++ library
18     is vulnerable to a spoofing issue allowing an attacker to reuse existing
19     signatures with arbitrary content (CVE-2013-2153).
20    
21     A stack overflow, possibly leading to arbitrary code execution, exists in
22     the processing of malformed XPointer expressions in the XML Signature
23     Reference processing code (CVE-2013-2154).
24    
25     A bug in the processing of the output length of an HMAC-based XML
26     Signature would cause a denial of service when processing specially chosen
27     input (CVE-2013-2155).
28    
29     A heap overflow exists in the processing of the PrefixList attribute
30     optionally used in conjunction with Exclusive Canonicalization, potentially
31     allowing arbitrary code execution (CVE-2013-2156).
32    
33     The attempted fix to address CVE-2013-2154 introduced the possibility of a
34     heap overflow, possibly leading to arbitrary code execution, in the
35     processing of malformed XPointer expressions in the XML Signature Reference
36     processing code (CVE-2013-2210).
37     references:
38     - http://santuario.apache.org/secadv.html
39     - http://www.debian.org/security/2013/dsa-2710
40     - https://bugs.mageia.org/show_bug.cgi?id=10563

  ViewVC Help
Powered by ViewVC 1.1.28