* SECURITY UPDATE: (LP: #1192874).
- Apply upstream patch to fix a spoofing vulnerability that allows an
attacker to reuse existing signatures with arbitrary content.
(CVE-2013-2153)
- Apply upstream patch to fix a stack overflow in the processing of
malformed XPointer expressions in the XML Signature Reference
processing code. (CVE-2013-2154)
- Apply upstream patch to fix processing of the output length of an
HMAC-based XML Signature that could cause a denial of service when
processing specially chosen input. (CVE-2013-2155)
- Apply upstream patch to fix a heap overflow in the processing of the
PrefixList attribute optionally used in conjunction with Exclusive
Canonicalization, potentially allowing arbitrary code execution.
(CVE-2013-2156)
* SECURITY UPDATE: The attempted fix to address CVE-2013-2154 introduced
the possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in the
XML Signature Reference processing code (LP: #1199969).
- Apply upstream patch to fix that heap overflow. (CVE-2013-2210)
-- Christian Biamont <email address hidden> Wed, 25 Sep 2013 10:27:27 +0200
This bug was fixed in the package xml-security-c - 1.6.1-1ubuntu0.1
---------------
xml-security-c (1.6.1-1ubuntu0.1) precise-security; urgency=low
* SECURITY UPDATE: (LP: #1192874). CVE-2013- 2153) ization, potentially allowing arbitrary code execution. CVE-2013- 2156)
- Apply upstream patch to fix a spoofing vulnerability that allows an
attacker to reuse existing signatures with arbitrary content.
(
- Apply upstream patch to fix a stack overflow in the processing of
malformed XPointer expressions in the XML Signature Reference
processing code. (CVE-2013-2154)
- Apply upstream patch to fix processing of the output length of an
HMAC-based XML Signature that could cause a denial of service when
processing specially chosen input. (CVE-2013-2155)
- Apply upstream patch to fix a heap overflow in the processing of the
PrefixList attribute optionally used in conjunction with Exclusive
Canonical
(
* SECURITY UPDATE: The attempted fix to address CVE-2013-2154 introduced
the possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in the
XML Signature Reference processing code (LP: #1199969).
- Apply upstream patch to fix that heap overflow. (CVE-2013-2210)
-- Christian Biamont <email address hidden> Wed, 25 Sep 2013 10:27:27 +0200