Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2082
libxml-security-java security update
7 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libxml-security-java
Publisher: Debian
Operating System: Debian GNU/Linux 7
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2172
Reference: ASB-2014.0077
ESB-2014.1806
ASB-2013.0113
ESB-2013.1238
ESB-2013.1218
Original Bulletin:
http://www.debian.org/security/2014/dsa-3065
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libxml-security-java check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3065-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
November 06, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libxml-security-java
CVE ID : CVE-2013-2172
Debian Bug : 720375
James Forshaw discovered that, in Apache Santuario XML Security for
Java, CanonicalizationMethod parameters were incorrectly validated:
by specifying an arbitrary weak canonicalization algorithm, an
attacker could spoof XML signatures.
For the stable distribution (wheezy), this problem has been fixed in
version 1.4.5-1+deb7u1.
For the testing distribution (jessie), this problem has been fixed in
version 1.5.5-2.
For the unstable distribution (sid), this problem has been fixed in
version 1.5.5-2.
We recommend that you upgrade your libxml-security-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUWzQGAAoJEAVMuPMTQ89Ec7QP/2SKxUIAhRFzJklrdoT1XV0N
XX7XfHIinIFdTo6TTcPFWRGlByo35NL/c14gBrUgJOIWsvyPdxZVF3vJQVBvHXes
88jFJQnZyaloM1KSLG3PqrG/TUoyMQmLf7fyBiNyHR2WyBzLQXvWTSMt7TObxZSq
qTf5D5U1etEP4V1vbmlm5IZmmwb21aOmpD5tVEu9Yt2JFLe22Q4HuX6GF8vD7yU8
6MLqaDjc6lQEIMliIvHl3dH1QoahRht7jkMfQxr9n2UxPtsqaWOxmqKtQjeMs6YB
pHItKQcfqcVYTc1Xz8iUzBFkP20rTNeucmxzdxy0XUBFU6HluHwfoiGsb3BYJzWA
7DVT9V5jY7dHqd6n4olNYUf0JLrHinuTCyqhkdcEO0TWf4elDKLWfAdDkqC74Erl
VXaVMYm7wITP4xn92DNYACYOvEWg6xo7NSODQcuV+bemXpi8Bs/b0MrQWSPxH/KN
dIsqTSvaR8nZ+bEevWwIJ+fDa+Zq8p/G7ey/zAulyqSn9XIRQNHBZgj8mh3yuvbb
AIv/prJLyofQXrNdyOjbNpVz+E+kwglqK3bbPCCxPZ/iY0YJLdfbSF5HDxT5sobF
9BGsEmhVhZ2XYHjPTvKd2Oexzk/wFPGmseD1UWDHmh9ZNkpdkGgw8IdXSFIrOqxA
hZ1TIIrTPs4FwLl3b18M
=TYcp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVFwGlBLndAQH1ShLAQL90RAAldH2cNf3Uc49+eLRjJvB4nbABOjbmKgs
MvEXCSKYdzM/0tUfu7/6rssttY4xIHUdJhmfGS77lmDlmQa4TFB3jChGHTGWt4tM
9J5KSBUnPzGr7g+ocJ5PhWlFeR5YK+VqJuzKCXbU5tVJMENeoDZqFfRtA90l+U/A
ccFZkBszfcwCiUmVQSuXiuUigNfvP0GyVOrxZsEOa35RbR+stSn7a12XCGeBxjO0
zbQOh8HCYb2mQha2KoHfbjrfbtqWJ/+PZ9ls0QTbs/K30frpJhHNS0wybM3CcFqB
Ysz/9rUwa18cokKjsRRSWyfT/fgBTdX4Hc/U8IeVTqg5MzV5z42fWTSMGC1ah5hE
b1lT35OxdrS3/YDFerMaNiifGXqoEzljwSaFGAFXQgtci5kP4PgIXT4JETl7vDMn
RRq9eizuUd0bBbJYoosutLsygMtjAQ3Lj/h6EBhrtii1PtKtskO/tnru3ppuRRJJ
QQwQlulq7IQ0SiQ7gM7fiyjdLAeeKEGsp8sXmavN0ul/h7Povf0H2jEStkR6gFhW
jo8ECUfgcr8akNeI+PC5TJjyN99CYx2ZoQ6HfcZdU5eMoCEu8Pv/w+1ZPmDjvMcx
6r5+MuJ5XgQyv7UlhCnmT/rpUSMj5K8RGf7nPVnu6xoMn2ldZwWED5dDqkG4+r24
yvZ2Fy/EG5s=
=nZ8z
-----END PGP SIGNATURE-----