Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3230
libxml-security-java security update
28 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libxml-security-java
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Confidential Data -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-40690
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2767
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libxml-security-java check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2767-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
September 27, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libxml-security-java
Version : 1.5.8-2+deb9u1
CVE ID : CVE-2021-40690
Debian Bug : 994569
Apache Santuario, XML Security for Java, is vulnerable to an issue where the
"secureValidation" property is not passed correctly when creating a KeyInfo
from a KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.
For Debian 9 stretch, this problem has been fixed in version
1.5.8-2+deb9u1.
We recommend that you upgrade your libxml-security-java packages.
For the detailed security status of libxml-security-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml-security-java
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFRutpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTCag/+JM651OzmsUJSw6O15T8JatQI/WNY3jQzcSxj7oam9Vd3ZU11KaalGuL8
Pb57nFar4c3ZEUU4KRCHETRuKztWHORcRwO0Dd24zEhqHHyIIQNPJV3J62ZOosMf
ru0OB8bozifqbfJQiGFw0apKEJXXuf8jxCzMQkeI7TO/SPrtX3k50iIu2HyR8blF
5a99rseINNC/uvJs4nX++uqeX0RmZvqHcmqQAmpx/DYNUGHPB0DEyIe20ICDxTU0
tRt00NsjwkqfzK7Kto3+fF32Bxj+ZruzSoXC8FWFwB6iYReV965c+JVUph1RMcLX
1ilLwTY28wvXlPAzRBG0Cw2LPrbBDprksJwmCbNbi4VCEhH2pcdoD4EB3+PcQB8G
EniQyZZfJz18Pq+pM196CkwsNI91JaOoq1+3GrtRNHf4HjVreF6QiX7IhYeIqzG1
imed6OgkmLLxJcDbsul3i2RPvY7SUNxu0f+C+gsnmHAchXZA4zcZVNpW+HJNr/x/
1MkP05P38vvF6lmubK6aD66XWtmUy7AonCVxakVV6ZTLbieTiqJzMJPNzMc19oEN
4ytU5jbX5Gg/E5TfxPKLoEdKjvoBan0k9ltcAFkCJ8S29QDfTLIzv+oqikKWH4OO
GmZLMNW3XpviTJNnEtvkb0rotdkwwhXfDE8Kq9KMlBciOXOYaiI=
=usml
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYVJ0ueNLKJtyKPYoAQgBQQ//aISktBvDX0ebsutcSZhOnNSVxd1Q2deO
HoDT3bAmy911BS8JD1z4JLTaxHWg4wM0ZAk9fVRRXvZk1oMvkh35WqZQ3kUXnYL/
WuZLIuaz4qzh2Uv0CcQ+HCBa1qBtVVeWqVPvJ1RN+lctvWvyWhcS8rNe8owBxKQo
I3mhFUw6JQj+E0hbRXfUynqw5pw2gUqUyW7v+8h96/j/WziSR3rSfJO5l0Yrfr+F
7FIA01U3cB9v8xdP53XjbQV2YttV134zKp5QvdOyBp/SJVVFXQscFdqiXOgpGVmO
DFykoL1JxYAqX50EAsldQWteWSbgVk47GsBW6AqWAPbkz1wOhhGpBSHzIAbT+Ntm
YgJyrKRDPr1zg6QgQL4mGODqb465kK4BPLjcyRXRbsFRca3C8r9zNX/VxlBULTJ5
m31fn8IdRZpiFIMV1PSK0dq339Vy5nkgW3q4IyDcGAd99cU0bv81qsVvde5ZgF93
zzAzS+h+dfwQPeT0CYYzLaEOqxIZZGG5wZxs8mYgC1K3oYatw94NNulWP/d8aFf6
FWvIofJ0xlnWY7vGV3S3QsQc+MVSYx/rg2J2s+DRzFlTEqsAVJvSEEY9Aj/vbBWh
EyR67Z3lGn0+eviKFQjhd4hC1W4hLIJBu0fItkQT1s+idWT2N53UNhB4IuZXaGDs
ltkvxiAW5qU=
=zN+U
-----END PGP SIGNATURE-----