Ubuntu has issued an advisory on November 12: http://www.ubuntu.com/usn/usn-2028-1/ The issue is fixed upstream in 1.4.8 and 1.5.5. Ubuntu has a link to the upstream patch to fix this: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2172.html The package is called xml-security-j in Mageia 2. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
pushed on 3 and cauldron
Thanks D Morgan! Note to QA: testing that these install successfully should be sufficient. Advisory: ======================== Updated xml-security packages fix security vulnerability: James Forshaw discovered that Apache XML Security for Java incorrectly validated CanonicalizationMethod parameters. An attacker could use this flaw to spoof XML signatures (CVE-2013-2172). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172 http://www.ubuntu.com/usn/usn-2028-1/ ======================== Updated packages in core/updates_testing: ======================== xml-security-1.5.5-1.mga3 xml-security-javadoc-1.5.5-1.mga3 xml-security-demo-1.5.5-1.mga3 from xml-security-1.5.5-1.mga3.src.rpm
CC: (none) => dmorganecVersion: Cauldron => 3Blocks: 11726 => (none)Assignee: dmorganec => qa-bugsWhiteboard: MGA3TOO => (none)
As per comment 3, just testing that the packages install cleanly. Testing complete on Mageia 3 i586 and x86_64. Advisory uploaded to svn. Someone from the sysadmin team please push 11664.adv to updates.
Keywords: (none) => validated_updateWhiteboard: (none) => advisory MGA3-64-OK MGA3-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0002.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED