Debian has issued an advisory on August 5: https://www.debian.org/security/2018/dsa-4265 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => mageia
I have uploaded a patched package for Mageia 6 (cauldron was fixed by new version from guillomovitch). I have no idea how to test the patch... Suggested advisory: ======================== Updated xml-security-c packages fix security vulnerability: It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data. https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491 ======================== Updated packages in core/updates_testing: ======================== xml-security-c-1.7.3-2.1.mga6 Source RPM: xml-security-c-1.7.3-2.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: mageia => qa-bugs
Mageia 6, x86_64 No idea about testing the patch either. Nothing upstream. Installed qdigidoc and ran strace on the gui via qdigidocclient. $ strace -o trace.qdig qdigidocclient This presented the DigiDoc3 interface where documents can be signed or opened. There is a third option which looks like an opportunity to encrypt the signage: "Open DigiDoc3 Crypto" Pressed "Open signed document" which led to a file manager. Retreated - just giving the application something to do. The language options work. Closed down and checked the trace file. $ grep xml-security trace.qdig open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 3 open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 24 Updated xml-security-c and tinkered with qdigidocclient. Picked a PDF document rather than XML and the DigiDoc stated that PDF signing would be forwarded to the Estonian authority and a form was presented for the user to enter details. Backed out at that point. Just have to assume that it is all working. No crashes or errors reported.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Sounds like the best we can do. Validating...
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0381.html
Status: NEW => RESOLVEDResolution: (none) => FIXED