Rapid7 Vulnerability & Exploit Database

RHSA-2011:0486: xmlsec1 security and bug fix update

Back to Search

RHSA-2011:0486: xmlsec1 security and bug fix update

Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
04/04/2011
Created
07/25/2018
Added
05/19/2011
Modified
07/04/2017

Description

The XML Security Library is a C library based on libxml2 and OpenSSL thatimplements the XML Digital Signature and XML Encryption standards.A flaw was found in the way xmlsec1 handled XML files that contain an XSLTtransformation specification. A specially-crafted XML file could causexmlsec1 to create or overwrite an arbitrary file while performing theverification of a file's digital signature. (CVE-2011-1425)Red Hat would like to thank Nicolas Grégoire and Aleksey Sanin forreporting this issue.This update also fixes the following bug:Users of xmlsec1 should upgrade to these updated packages, which containbackported patches to correct these issues. After installing the update,all running applications that use the xmlsec1 library must be restarted forthe update to take effect.

Solution(s)

  • redhat-upgrade-xmlsec1
  • redhat-upgrade-xmlsec1-devel
  • redhat-upgrade-xmlsec1-gnutls
  • redhat-upgrade-xmlsec1-gnutls-devel
  • redhat-upgrade-xmlsec1-nss
  • redhat-upgrade-xmlsec1-nss-devel
  • redhat-upgrade-xmlsec1-openssl
  • redhat-upgrade-xmlsec1-openssl-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;