Ubuntu has issued an advisory on November 12:
The issue is fixed upstream in 1.4.8 and 1.5.5. Ubuntu has a link to the upstream patch to fix this:
The package is called xml-security-j in Mageia 2.
Steps to Reproduce:
Removing Mageia 2 from the whiteboard due to EOL.
MGA3TOO, MGA2TOO =>
pushed on 3 and cauldron
Thanks D Morgan!
Note to QA: testing that these install successfully should be sufficient.
Updated xml-security packages fix security vulnerability:
James Forshaw discovered that Apache XML Security for Java incorrectly
validated CanonicalizationMethod parameters. An attacker could use this
flaw to spoof XML signatures (CVE-2013-2172).
Updated packages in core/updates_testing:
As per comment 3, just testing that the packages install cleanly.
Testing complete on Mageia 3 i586 and x86_64. Advisory uploaded to svn.
Someone from the sysadmin team please push 11664.adv to updates.
advisory MGA3-64-OK MGA3-32-OKCC: