Date:         Wed, 9 Sep 2009 14:48:22 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Moderate: xmlsec1 on SL4.x, SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: xmlsec1 security update
Issue date:	2009-09-08
CVE Names:	CVE-2009-0217

CVE-2009-0217 xmlsec1, mono, xml-security-c, 
xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing 
and authentication bypass

A missing check for the recommended minimum length of the truncated form 
of HMAC-based XML signatures was found in xmlsec1. An attacker could use 
this flaw to create a specially-crafted XML file that forges an XML 
signature, allowing the attacker to bypass authentication that is based 
on the XML Signature specification. (CVE-2009-0217)

After installing the updated packages, applications that use the XML 
Security Library must be restarted for the update to take effect.

SL 4.x

      SRPMS:
xmlsec1-1.2.6-3.1.src.rpm
      i386:
xmlsec1-1.2.6-3.1.i386.rpm
xmlsec1-devel-1.2.6-3.1.i386.rpm
xmlsec1-openssl-1.2.6-3.1.i386.rpm
xmlsec1-openssl-devel-1.2.6-3.1.i386.rpm
      x86_64:
xmlsec1-1.2.6-3.1.i386.rpm
xmlsec1-1.2.6-3.1.x86_64.rpm
xmlsec1-devel-1.2.6-3.1.x86_64.rpm
xmlsec1-openssl-1.2.6-3.1.i386.rpm
xmlsec1-openssl-1.2.6-3.1.x86_64.rpm
xmlsec1-openssl-devel-1.2.6-3.1.x86_64.rpm

SL 5.x

      SRPMS:
xmlsec1-1.2.9-8.1.1.src.rpm
      i386:
xmlsec1-1.2.9-8.1.1.i386.rpm
xmlsec1-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-gnutls-1.2.9-8.1.1.i386.rpm
xmlsec1-gnutls-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-nss-1.2.9-8.1.1.i386.rpm
xmlsec1-nss-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-openssl-1.2.9-8.1.1.i386.rpm
xmlsec1-openssl-devel-1.2.9-8.1.1.i386.rpm
      x86_64:
xmlsec1-1.2.9-8.1.1.i386.rpm
xmlsec1-1.2.9-8.1.1.x86_64.rpm
xmlsec1-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-devel-1.2.9-8.1.1.x86_64.rpm
xmlsec1-gnutls-1.2.9-8.1.1.i386.rpm
xmlsec1-gnutls-1.2.9-8.1.1.x86_64.rpm
xmlsec1-gnutls-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-gnutls-devel-1.2.9-8.1.1.x86_64.rpm
xmlsec1-nss-1.2.9-8.1.1.i386.rpm
xmlsec1-nss-1.2.9-8.1.1.x86_64.rpm
xmlsec1-nss-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-nss-devel-1.2.9-8.1.1.x86_64.rpm
xmlsec1-openssl-1.2.9-8.1.1.i386.rpm
xmlsec1-openssl-1.2.9-8.1.1.x86_64.rpm
xmlsec1-openssl-devel-1.2.9-8.1.1.i386.rpm
xmlsec1-openssl-devel-1.2.9-8.1.1.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2009-0217 Moderate: xmlsec1 SL4.x, SL5.x i386/x86_64

Moderate: xmlsec1 security update

Summary

Date:         Wed, 9 Sep 2009 14:48:22 -0500Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA Moderate: xmlsec1 on SL4.x, SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis:	Moderate: xmlsec1 security updateIssue date:	2009-09-08CVE Names:	CVE-2009-0217CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypassA missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification. (CVE-2009-0217)After installing the updated packages, applications that use the XML Security Library must be restarted for the update to take effect.SL 4.x      SRPMS:xmlsec1-1.2.6-3.1.src.rpm      i386:xmlsec1-1.2.6-3.1.i386.rpmxmlsec1-devel-1.2.6-3.1.i386.rpmxmlsec1-openssl-1.2.6-3.1.i386.rpmxmlsec1-openssl-devel-1.2.6-3.1.i386.rpm      x86_64:xmlsec1-1.2.6-3.1.i386.rpmxmlsec1-1.2.6-3.1.x86_64.rpmxmlsec1-devel-1.2.6-3.1.x86_64.rpmxmlsec1-openssl-1.2.6-3.1.i386.rpmxmlsec1-openssl-1.2.6-3.1.x86_64.rpmxmlsec1-openssl-devel-1.2.6-3.1.x86_64.rpmSL 5.x      SRPMS:xmlsec1-1.2.9-8.1.1.src.rpm      i386:xmlsec1-1.2.9-8.1.1.i386.rpmxmlsec1-devel-1.2.9-8.1.1.i386.rpmxmlsec1-gnutls-1.2.9-8.1.1.i386.rpmxmlsec1-gnutls-devel-1.2.9-8.1.1.i386.rpmxmlsec1-nss-1.2.9-8.1.1.i386.rpmxmlsec1-nss-devel-1.2.9-8.1.1.i386.rpmxmlsec1-openssl-1.2.9-8.1.1.i386.rpmxmlsec1-openssl-devel-1.2.9-8.1.1.i386.rpm      x86_64:xmlsec1-1.2.9-8.1.1.i386.rpmxmlsec1-1.2.9-8.1.1.x86_64.rpmxmlsec1-devel-1.2.9-8.1.1.i386.rpmxmlsec1-devel-1.2.9-8.1.1.x86_64.rpmxmlsec1-gnutls-1.2.9-8.1.1.i386.rpmxmlsec1-gnutls-1.2.9-8.1.1.x86_64.rpmxmlsec1-gnutls-devel-1.2.9-8.1.1.i386.rpmxmlsec1-gnutls-devel-1.2.9-8.1.1.x86_64.rpmxmlsec1-nss-1.2.9-8.1.1.i386.rpmxmlsec1-nss-1.2.9-8.1.1.x86_64.rpmxmlsec1-nss-devel-1.2.9-8.1.1.i386.rpmxmlsec1-nss-devel-1.2.9-8.1.1.x86_64.rpmxmlsec1-openssl-1.2.9-8.1.1.i386.rpmxmlsec1-openssl-1.2.9-8.1.1.x86_64.rpmxmlsec1-openssl-devel-1.2.9-8.1.1.i386.rpmxmlsec1-openssl-devel-1.2.9-8.1.1.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity