Advisories » MGASA-2020-0104

Updated xmlsec1 packages fix security vulnerability

Publication date: 26 Feb 2020
Modification date: 26 Feb 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2017-1000061

Description

Updated xmlsec1 packages fix security vulnerability:

It was discovered xmlsec1's use of libxml2 inadvertently enabled external
entity expansion (XXE) along with validation. An attacker could craft an
XML file that would cause xmlsec1 to try and read local files or HTTP/FTP
URLs, leading to information disclosure or denial of service
(CVE-2017-1000061).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26174
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061

SRPMS

7/core

• xmlsec1-1.2.29-1.mga7