Bug 11664

Summary: xml-security new security issue CVE-2013-2172
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/573683/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Source RPM: xml-security-1.5.3-3.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-11-13 20:45:58 CET 
Ubuntu has issued an advisory on November 12:
http://www.ubuntu.com/usn/usn-2028-1/

The issue is fixed upstream in 1.4.8 and 1.5.5.  Ubuntu has a link to the upstream patch to fix this:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2172.html

The package is called xml-security-j in Mageia 2.

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-13 20:46:04 CET

Whiteboard: (none) => MGA3TOO, MGA2TOO

David Walser 2013-11-21 23:05:17 CET

Blocks: (none) => 11726

Comment 1 David Walser 2013-11-22 16:04:49 CET 
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO

Comment 2 D Morgan 2014-01-03 15:22:30 CET 
pushed on 3 and cauldron
Comment 3 David Walser 2014-01-03 15:32:14 CET 
Thanks D Morgan!

Note to QA: testing that these install successfully should be sufficient.

Advisory:
========================

Updated xml-security packages fix security vulnerability:

James Forshaw discovered that Apache XML Security for Java incorrectly
validated CanonicalizationMethod parameters. An attacker could use this
flaw to spoof XML signatures (CVE-2013-2172).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172
http://www.ubuntu.com/usn/usn-2028-1/
========================

Updated packages in core/updates_testing:
========================
xml-security-1.5.5-1.mga3
xml-security-javadoc-1.5.5-1.mga3
xml-security-demo-1.5.5-1.mga3

from xml-security-1.5.5-1.mga3.src.rpm

CC: (none) => dmorganec
Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: dmorganec => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 4 Dave Hodgins 2014-01-05 21:30:11 CET 
As per comment 3, just testing that the packages install cleanly.

Testing complete on Mageia 3 i586 and x86_64. Advisory uploaded to svn.

Someone from the sysadmin team please push 11664.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Thomas Backlund 2014-01-06 02:34:57 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0002.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED