Advisories » MGASA-2017-0305

Updated xmlsec1 packages fix security vulnerability

Publication date: 24 Aug 2017
Modification date: 24 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-1000061

Description

It was discovered xmlsec1's use of libxml2 inadvertently enabled
external entity expansion (XXE) along with validation. An attacker could
craft an XML file that would cause xmlsec1 to try and read local files
or HTTP/FTP URLs, leading to information disclosure or denial of service
(CVE-2017-1000061).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=21586
• https://access.redhat.com/errata/RHSA-2017:2492
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061

SRPMS

5/core

• xmlsec1-1.2.24-1.mga5

6/core

• xmlsec1-1.2.24-1.mga6