Bug 11664 - xml-security new security issue CVE-2013-2172
: xml-security new security issue CVE-2013-2172
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/573683/
: advisory MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-13 20:45 CET by David Walser
Modified: 2014-01-06 02:34 CET (History)
4 users (show)

See Also:
Source RPM: xml-security-1.5.3-3.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-13 20:45:58 CET
Ubuntu has issued an advisory on November 12:
http://www.ubuntu.com/usn/usn-2028-1/

The issue is fixed upstream in 1.4.8 and 1.5.5.  Ubuntu has a link to the upstream patch to fix this:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2172.html

The package is called xml-security-j in Mageia 2.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-22 16:04:49 CET
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Comment 2 D Morgan 2014-01-03 15:22:30 CET
pushed on 3 and cauldron
Comment 3 David Walser 2014-01-03 15:32:14 CET
Thanks D Morgan!

Note to QA: testing that these install successfully should be sufficient.

Advisory:
========================

Updated xml-security packages fix security vulnerability:

James Forshaw discovered that Apache XML Security for Java incorrectly
validated CanonicalizationMethod parameters. An attacker could use this
flaw to spoof XML signatures (CVE-2013-2172).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172
http://www.ubuntu.com/usn/usn-2028-1/
========================

Updated packages in core/updates_testing:
========================
xml-security-1.5.5-1.mga3
xml-security-javadoc-1.5.5-1.mga3
xml-security-demo-1.5.5-1.mga3

from xml-security-1.5.5-1.mga3.src.rpm
Comment 4 Dave Hodgins 2014-01-05 21:30:11 CET
As per comment 3, just testing that the packages install cleanly.

Testing complete on Mageia 3 i586 and x86_64. Advisory uploaded to svn.

Someone from the sysadmin team please push 11664.adv to updates.
Comment 5 Thomas Backlund 2014-01-06 02:34:57 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0002.html

Note You need to log in before you can comment on or make changes to this bug.