-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3893
                   libxml-security-java security update
                             16 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxml-security-java
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-40690  

Reference:         ESB-2021.3230

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2021/msg00196.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5010-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
November 15, 2021                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libxml-security-java
CVE ID         : CVE-2021-40690
Debian Bug     : 994569

Apache Santuario - XML Security for Java is vulnerable to an issue where the
"secureValidation" property is not passed correctly when creating a KeyInfo
from a KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.

For the oldstable distribution (buster), this problem has been fixed
in version 2.0.10-2+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 2.0.10-2+deb11u1.

We recommend that you upgrade your libxml-security-java packages.

For the detailed security status of libxml-security-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml-security-java

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGSlEZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQUUA//WXOQk6k5h6rHlRD429rLUBPNy8FtSOFZCxUpBJW4cz6aZ7TlJPCKDJFd
kIA0+0PNoq5bmxSHeWXv1xgaXMATzCFII63iEwyDy+hsjUoOUDbNosqOiZ5CToN4
7SaGUslOave9kaDQisWRVG80SOO/6TvlcxwtHjSacgDzIN1RUK00VRs7OCPvXOkU
fg/w8zitkyBkZXi1Q8Jb67dQowrkQdBT5y2fMvUmT8lkZnjJiduXZJ8UnD5WydHm
6fPQnJFINHpw4JuNqgHKGq+Jsxbw/hxlfqHAdU/hkQdHgtx8R3dyWllIivUODhiW
53Wi3YGqhyFMRnPHD9kQjyiXJmW1w/y/lI6h5Q4x6RnwXRRN8frqzm8l5yovbnFW
QCGbRLn8WI0JYnHcRyT7tKIWgB/dpuCIrudKtRMceUMkWVWjlFNr477mqTmLbJdb
ZghruE4ZfttixeXajqm8Nufs9wtElZ1ZmYM8lHfsqeJrJrvybtQjwyt6Mg/hdmYP
4oulb3VjRPs0rmqBPVUJfuy9IToqyRDKJwn4mDn59yHcce+OA1WK7gO2hOw2FUlS
Sqtkt0SUOz0XeUZ+hxQT9IQqIWR373Dl8LPdlgsuWgQmN0WvCWi4MX9X9C2ipn2M
BL9KqPtuZ1qHJ5VtqymFlIvqmlP0FqeqyqIEka9c48qUi20zRNw=
=EjcO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZMIZeNLKJtyKPYoAQgwDw/+Jt0WeHOkVcF2pxbBF/9DisJUQdvh6TNP
TzXLOYkw8mAH3pxwuK/R6mcHmSbmptKBrka5bQMlKv7Heyq5UhWXb2e5eBUBWUta
mEJDoMUakmPeuj/QVvY78q08zY3J4S5VKx1HcLASOSArEaBtcx2TVleZW2rJyI0u
OH/0Weml3TOe4to6gGpIrp4E1ctJ4PmM/9htKw4WOcLKmAcesRvfO5TgccUb0j2y
nr31odSEjxcRZNRNmx1/8ihWkI+qGe9Xx7kHJV1eDaEEtejF7Alctd4nTc2jRmYM
Mq3J8Fq+jzGFgIAY6NlXkA1BVD7YLa4sPA1unfSYO4z5LAvqjhPVrAmlL92CD2F6
L5M2Wmlys20nQbwqw0P4HQefsiA0JMx9hOc8kWNm1CNVbpPyvO9h6xUh0EUXH60u
BEbgtkWqjB2gK/01K+tovafLrsHhtE9fMRqoSLl+20h54IY0Rm7CFTEfq5zjrtIp
3eB96JcGEri6V55QDxX+bvBfyiUncs3Ys51dWKMvuasJ//QzM1cy9s8AAWMT+3P4
guO0ymTBTXWnsWIjoX8+fxFcKXdcxskCldQl7cQeVi6mVgu/kLSSSm4TOkUAmeIo
0qK8nv5BLazwg7VN/Osv13P4O4KaZvo5+oiUkFcm49YGcaCj7BG8D/UeP5GvK20T
a3LgjCJGndQ=
=Iila
-----END PGP SIGNATURE-----