CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.9%
CentOS Errata and Security Advisory CESA-2009:1428
The XML Security Library is a C library based on libxml2 and OpenSSL. It
implements the XML Signature Syntax and Processing and XML Encryption
Syntax and Processing standards. HMAC is used for message authentication
using cryptographic hash functions. The HMAC algorithm allows the hash
output to be truncated (as documented in RFC 2104).
A missing check for the recommended minimum length of the truncated form of
HMAC-based XML signatures was found in xmlsec1. An attacker could use this
flaw to create a specially-crafted XML file that forges an XML signature,
allowing the attacker to bypass authentication that is based on the XML
Signature specification. (CVE-2009-0217)
Users of xmlsec1 should upgrade to these updated packages, which contain
a backported patch to correct this issue. After installing the updated
packages, applications that use the XML Security Library must be restarted
for the update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-October/078452.html
https://lists.centos.org/pipermail/centos-announce/2009-October/078453.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078291.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078292.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078323.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078324.html
Affected packages:
xmlsec1
xmlsec1-devel
xmlsec1-gnutls
xmlsec1-gnutls-devel
xmlsec1-nss
xmlsec1-nss-devel
xmlsec1-openssl
xmlsec1-openssl-devel
Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1428
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 4 | i386 | xmlsec1 | < 1.2.6-3.1 | xmlsec1-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1-devel | < 1.2.6-3.1 | xmlsec1-devel-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1-openssl | < 1.2.6-3.1 | xmlsec1-openssl-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1-openssl-devel | < 1.2.6-3.1 | xmlsec1-openssl-devel-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1 | < 1.2.6-3.1 | xmlsec1-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1-devel | < 1.2.6-3.1 | xmlsec1-devel-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1-openssl | < 1.2.6-3.1 | xmlsec1-openssl-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1-openssl-devel | < 1.2.6-3.1 | xmlsec1-openssl-devel-1.2.6-3.1.i386.rpm |
CentOS | 4 | i386 | xmlsec1 | < 1.2.6-3.1 | xmlsec1-1.2.6-3.1.i386.rpm |
CentOS | 4 | x86_64 | xmlsec1 | < 1.2.6-3.1 | xmlsec1-1.2.6-3.1.x86_64.rpm |