| 1 |
claire |
103 |
type: security |
| 2 |
|
|
subject: Updated xml-security-c package fixes multiple security vulnerabilities |
| 3 |
|
|
CVE: |
| 4 |
|
|
- CVE-2013-2153 |
| 5 |
|
|
- CVE-2013-2154 |
| 6 |
|
|
- CVE-2013-2155 |
| 7 |
|
|
- CVE-2013-2156 |
| 8 |
|
|
- CVE-2013-2210 |
| 9 |
|
|
src: |
| 10 |
|
|
2: |
| 11 |
|
|
core: |
| 12 |
|
|
- xml-security-c-1.6.1-1.2.mga2 |
| 13 |
|
|
3: |
| 14 |
|
|
core: |
| 15 |
|
|
- xml-security-c-1.7.0-2.2.mga3 |
| 16 |
|
|
description: | |
| 17 |
|
|
The implementation of XML digital signatures in the Santuario-C++ library |
| 18 |
|
|
is vulnerable to a spoofing issue allowing an attacker to reuse existing |
| 19 |
|
|
signatures with arbitrary content (CVE-2013-2153). |
| 20 |
|
|
|
| 21 |
|
|
A stack overflow, possibly leading to arbitrary code execution, exists in |
| 22 |
|
|
the processing of malformed XPointer expressions in the XML Signature |
| 23 |
|
|
Reference processing code (CVE-2013-2154). |
| 24 |
|
|
|
| 25 |
|
|
A bug in the processing of the output length of an HMAC-based XML |
| 26 |
|
|
Signature would cause a denial of service when processing specially chosen |
| 27 |
|
|
input (CVE-2013-2155). |
| 28 |
|
|
|
| 29 |
|
|
A heap overflow exists in the processing of the PrefixList attribute |
| 30 |
|
|
optionally used in conjunction with Exclusive Canonicalization, potentially |
| 31 |
|
|
allowing arbitrary code execution (CVE-2013-2156). |
| 32 |
|
|
|
| 33 |
|
|
The attempted fix to address CVE-2013-2154 introduced the possibility of a |
| 34 |
|
|
heap overflow, possibly leading to arbitrary code execution, in the |
| 35 |
|
|
processing of malformed XPointer expressions in the XML Signature Reference |
| 36 |
|
|
processing code (CVE-2013-2210). |
| 37 |
|
|
references: |
| 38 |
|
|
- http://santuario.apache.org/secadv.html |
| 39 |
|
|
- http://www.debian.org/security/2013/dsa-2710 |
| 40 |
|
|
- https://bugs.mageia.org/show_bug.cgi?id=10563 |
| 41 |
boklm |
122 |
ID: MGASA-2013-0193 |
Parent Directory
| 
Revision Log