| 1 |
type: security |
| 2 |
subject: Updated xml-security-c package fixes multiple security vulnerabilities |
| 3 |
CVE: |
| 4 |
- CVE-2013-2153 |
| 5 |
- CVE-2013-2154 |
| 6 |
- CVE-2013-2155 |
| 7 |
- CVE-2013-2156 |
| 8 |
- CVE-2013-2210 |
| 9 |
src: |
| 10 |
2: |
| 11 |
core: |
| 12 |
- xml-security-c-1.6.1-1.2.mga2 |
| 13 |
3: |
| 14 |
core: |
| 15 |
- xml-security-c-1.7.0-2.2.mga3 |
| 16 |
description: | |
| 17 |
The implementation of XML digital signatures in the Santuario-C++ library |
| 18 |
is vulnerable to a spoofing issue allowing an attacker to reuse existing |
| 19 |
signatures with arbitrary content (CVE-2013-2153). |
| 20 |
|
| 21 |
A stack overflow, possibly leading to arbitrary code execution, exists in |
| 22 |
the processing of malformed XPointer expressions in the XML Signature |
| 23 |
Reference processing code (CVE-2013-2154). |
| 24 |
|
| 25 |
A bug in the processing of the output length of an HMAC-based XML |
| 26 |
Signature would cause a denial of service when processing specially chosen |
| 27 |
input (CVE-2013-2155). |
| 28 |
|
| 29 |
A heap overflow exists in the processing of the PrefixList attribute |
| 30 |
optionally used in conjunction with Exclusive Canonicalization, potentially |
| 31 |
allowing arbitrary code execution (CVE-2013-2156). |
| 32 |
|
| 33 |
The attempted fix to address CVE-2013-2154 introduced the possibility of a |
| 34 |
heap overflow, possibly leading to arbitrary code execution, in the |
| 35 |
processing of malformed XPointer expressions in the XML Signature Reference |
| 36 |
processing code (CVE-2013-2210). |
| 37 |
references: |
| 38 |
- http://santuario.apache.org/secadv.html |
| 39 |
- http://www.debian.org/security/2013/dsa-2710 |
| 40 |
- https://bugs.mageia.org/show_bug.cgi?id=10563 |
Parent Directory
| 
Revision Log