Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3230 libxml-security-java security update 28 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxml-security-java Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Confidential Data -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-40690 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2767 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libxml-security-java check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2767-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 27, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : libxml-security-java Version : 1.5.8-2+deb9u1 CVE ID : CVE-2021-40690 Debian Bug : 994569 Apache Santuario, XML Security for Java, is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. For Debian 9 stretch, this problem has been fixed in version 1.5.8-2+deb9u1. We recommend that you upgrade your libxml-security-java packages. For the detailed security status of libxml-security-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml-security-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFRutpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTCag/+JM651OzmsUJSw6O15T8JatQI/WNY3jQzcSxj7oam9Vd3ZU11KaalGuL8 Pb57nFar4c3ZEUU4KRCHETRuKztWHORcRwO0Dd24zEhqHHyIIQNPJV3J62ZOosMf ru0OB8bozifqbfJQiGFw0apKEJXXuf8jxCzMQkeI7TO/SPrtX3k50iIu2HyR8blF 5a99rseINNC/uvJs4nX++uqeX0RmZvqHcmqQAmpx/DYNUGHPB0DEyIe20ICDxTU0 tRt00NsjwkqfzK7Kto3+fF32Bxj+ZruzSoXC8FWFwB6iYReV965c+JVUph1RMcLX 1ilLwTY28wvXlPAzRBG0Cw2LPrbBDprksJwmCbNbi4VCEhH2pcdoD4EB3+PcQB8G EniQyZZfJz18Pq+pM196CkwsNI91JaOoq1+3GrtRNHf4HjVreF6QiX7IhYeIqzG1 imed6OgkmLLxJcDbsul3i2RPvY7SUNxu0f+C+gsnmHAchXZA4zcZVNpW+HJNr/x/ 1MkP05P38vvF6lmubK6aD66XWtmUy7AonCVxakVV6ZTLbieTiqJzMJPNzMc19oEN 4ytU5jbX5Gg/E5TfxPKLoEdKjvoBan0k9ltcAFkCJ8S29QDfTLIzv+oqikKWH4OO GmZLMNW3XpviTJNnEtvkb0rotdkwwhXfDE8Kq9KMlBciOXOYaiI= =usml - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYVJ0ueNLKJtyKPYoAQgBQQ//aISktBvDX0ebsutcSZhOnNSVxd1Q2deO HoDT3bAmy911BS8JD1z4JLTaxHWg4wM0ZAk9fVRRXvZk1oMvkh35WqZQ3kUXnYL/ WuZLIuaz4qzh2Uv0CcQ+HCBa1qBtVVeWqVPvJ1RN+lctvWvyWhcS8rNe8owBxKQo I3mhFUw6JQj+E0hbRXfUynqw5pw2gUqUyW7v+8h96/j/WziSR3rSfJO5l0Yrfr+F 7FIA01U3cB9v8xdP53XjbQV2YttV134zKp5QvdOyBp/SJVVFXQscFdqiXOgpGVmO DFykoL1JxYAqX50EAsldQWteWSbgVk47GsBW6AqWAPbkz1wOhhGpBSHzIAbT+Ntm YgJyrKRDPr1zg6QgQL4mGODqb465kK4BPLjcyRXRbsFRca3C8r9zNX/VxlBULTJ5 m31fn8IdRZpiFIMV1PSK0dq339Vy5nkgW3q4IyDcGAd99cU0bv81qsVvde5ZgF93 zzAzS+h+dfwQPeT0CYYzLaEOqxIZZGG5wZxs8mYgC1K3oYatw94NNulWP/d8aFf6 FWvIofJ0xlnWY7vGV3S3QsQc+MVSYx/rg2J2s+DRzFlTEqsAVJvSEEY9Aj/vbBWh EyR67Z3lGn0+eviKFQjhd4hC1W4hLIJBu0fItkQT1s+idWT2N53UNhB4IuZXaGDs ltkvxiAW5qU= =zN+U -----END PGP SIGNATURE-----