exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-318

Mandriva Linux Security Advisory 2009-318
Posted Dec 7, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-318 - Multiple security vulnerabilities has been identified and fixed A missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1 prior to 1.2.12. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification. All versions of libtool prior to 2.2.6b suffers from a local privilege escalation vulnerability that could be exploited under certain conditions to load arbitrary code. Packages for 2008.0 are being provided due to extended support for Corporate products. This update fixes this vulnerability.

tags | advisory, arbitrary, local, vulnerability
systems | linux, mandriva
advisories | CVE-2009-0217, CVE-2009-3736
SHA-256 | 57180189922a60fc6fb2be31e076999decbc3545b198b5eaa2ef09248026f28a

Mandriva Linux Security Advisory 2009-318

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:318
https://www.mandriva.com/security/
_______________________________________________________________________

Package : xmlsec1
Date : December 5, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in xmlsec1:

A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).

All versions of libtool prior to 2.2.6b suffers from a local
privilege escalation vulnerability that could be exploited under
certain conditions to load arbitrary code (CVE-2009-3736).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update fixes this vulnerability.
_______________________________________________________________________

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
https://www.kb.cert.org/vuls/id/466161
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
b74d614ed793451440ea18c7aab434ee 2008.0/i586/libxmlsec1-1-1.2.10-5.1mdv2008.0.i586.rpm
34cc1274710d3c2013ff4c1222d0349d 2008.0/i586/libxmlsec1-devel-1.2.10-5.1mdv2008.0.i586.rpm
88b378d43d3ba44bad7d47c1eb5d6c5c 2008.0/i586/libxmlsec1-gnutls1-1.2.10-5.1mdv2008.0.i586.rpm
7c7e766ab3886c57d1519b83b4b06af8 2008.0/i586/libxmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.i586.rpm
712c732bc8ff6050fdc6dd108623e63a 2008.0/i586/libxmlsec1-nss1-1.2.10-5.1mdv2008.0.i586.rpm
bed9636e852f4c90cd9a5891fb9395ea 2008.0/i586/libxmlsec1-nss-devel-1.2.10-5.1mdv2008.0.i586.rpm
3e6940d49ffc024240b7116250d1f770 2008.0/i586/libxmlsec1-openssl1-1.2.10-5.1mdv2008.0.i586.rpm
cb8d177f72966ff06a9a1e08f8c48dbe 2008.0/i586/libxmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.i586.rpm
38ae0ed435d6e5133530d5af4a33883a 2008.0/i586/xmlsec1-1.2.10-5.1mdv2008.0.i586.rpm
bf47e5312113b150bdcce2634254b555 2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
2f16be60c636cc6d286258b7d331f52b 2008.0/x86_64/lib64xmlsec1-1-1.2.10-5.1mdv2008.0.x86_64.rpm
dcbfa0192a2a1ed72d9b4f7fc4c31c7f 2008.0/x86_64/lib64xmlsec1-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
b7d5a923126d4ab43b9c9868aed26803 2008.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-5.1mdv2008.0.x86_64.rpm
041a56825a59f497dce1085bc0fcf717 2008.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
5f70fda9524faee1b86e14e7b092e426 2008.0/x86_64/lib64xmlsec1-nss1-1.2.10-5.1mdv2008.0.x86_64.rpm
63c4b923f7cf4bb46e06d966a880ef6c 2008.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
62174f73e2d333da65befa79cd85c1ad 2008.0/x86_64/lib64xmlsec1-openssl1-1.2.10-5.1mdv2008.0.x86_64.rpm
6439cacc0520e43b8280758a4a91b042 2008.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-5.1mdv2008.0.x86_64.rpm
e4db63bda5a32757a17be8d4dcd31639 2008.0/x86_64/xmlsec1-1.2.10-5.1mdv2008.0.x86_64.rpm
bf47e5312113b150bdcce2634254b555 2008.0/SRPMS/xmlsec1-1.2.10-5.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

https://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGm8VmqjQ0CJFipgRAoJbAJ42kcAyU+o1vyhTG3qRCkeqdZrZVwCghcOr
q34YlWPMSVOFL9sx5T0/mA4=
=WFZU
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close