Bug 511915 (CVE-2009-0217)
Summary: | CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | alexl, antti.andreimann, aph, cperry, dbhole, fnasser, kreilly, mjc, mschoene, mvadkert, osoukup, paul, rcvalle, rruss, vdanen, veillard | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://www.kb.cert.org/vuls/id/466161 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-04-03 19:49:40 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 513078, 513443, 513444, 515682, 515683, 516722, 516723, 516724, 516725, 521225, 521226, 549685, 549686, 554295, 694167, 833995 | ||||||||
Bug Blocks: | 715020 | ||||||||
Attachments: |
|
Description
Jan Lieskovsky
2009-07-15 16:33:48 UTC
Patch and reproducer for Apache XML Security (Java): http://svn.apache.org/viewvc?view=rev&revision=794013 xml-security project has released version 1.5.1 of it's C library. I have updated the xml-security-c package in rawhide. If koji build is successful on all platforms I'll upgrade it on older branches as well. xml-security-c-1.5.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. xml-security-c-1.5.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. xml-security-c-1.5.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 355945 [details]
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1)
Created attachment 355946 [details]
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1)
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Upstream xmlsec1 commit by Aleksey Sanin: http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7 And relevant patch: http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7 Hello Paul, i can see rawhide Mono update: http://koji.fedoraproject.org/koji/buildinfo?buildID=114947 fixing CVE-2009-0217, but no relevant F10, F11, EPEL Mono updates addressing this issue. Could you schedule them - either apply the fix or upgrade to latest Mono upstream version also for F10, F11 and EPEL-5? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team xmlsec1-1.2.12-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc11 xmlsec1-1.2.12-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc10 xmlsec1-1.2.12-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. xmlsec1-1.2.12-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1428 https://rhn.redhat.com/errata/RHSA-2009-1428.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1694 https://rhn.redhat.com/errata/RHSA-2009-1694.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.3 Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html Created xml-security-c tracking bugs for this issue Affects: fedora-rawhide [bug 513078] Created mono tracking bugs for this issue Affects: epel-5 [bug 694167] *** Bug 715014 has been marked as a duplicate of this bug. *** *** Bug 715020 has been marked as a duplicate of this bug. *** |