Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3893 libxml-security-java security update 16 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxml-security-java Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-40690 Reference: ESB-2021.3230 Original Bulletin: https://lists.debian.org/debian-security-announce/2021/msg00196.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5010-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 15, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libxml-security-java CVE ID : CVE-2021-40690 Debian Bug : 994569 Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. For the oldstable distribution (buster), this problem has been fixed in version 2.0.10-2+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 2.0.10-2+deb11u1. We recommend that you upgrade your libxml-security-java packages. For the detailed security status of libxml-security-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml-security-java Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGSlEZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQUUA//WXOQk6k5h6rHlRD429rLUBPNy8FtSOFZCxUpBJW4cz6aZ7TlJPCKDJFd kIA0+0PNoq5bmxSHeWXv1xgaXMATzCFII63iEwyDy+hsjUoOUDbNosqOiZ5CToN4 7SaGUslOave9kaDQisWRVG80SOO/6TvlcxwtHjSacgDzIN1RUK00VRs7OCPvXOkU fg/w8zitkyBkZXi1Q8Jb67dQowrkQdBT5y2fMvUmT8lkZnjJiduXZJ8UnD5WydHm 6fPQnJFINHpw4JuNqgHKGq+Jsxbw/hxlfqHAdU/hkQdHgtx8R3dyWllIivUODhiW 53Wi3YGqhyFMRnPHD9kQjyiXJmW1w/y/lI6h5Q4x6RnwXRRN8frqzm8l5yovbnFW QCGbRLn8WI0JYnHcRyT7tKIWgB/dpuCIrudKtRMceUMkWVWjlFNr477mqTmLbJdb ZghruE4ZfttixeXajqm8Nufs9wtElZ1ZmYM8lHfsqeJrJrvybtQjwyt6Mg/hdmYP 4oulb3VjRPs0rmqBPVUJfuy9IToqyRDKJwn4mDn59yHcce+OA1WK7gO2hOw2FUlS Sqtkt0SUOz0XeUZ+hxQT9IQqIWR373Dl8LPdlgsuWgQmN0WvCWi4MX9X9C2ipn2M BL9KqPtuZ1qHJ5VtqymFlIvqmlP0FqeqyqIEka9c48qUi20zRNw= =EjcO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZMIZeNLKJtyKPYoAQgwDw/+Jt0WeHOkVcF2pxbBF/9DisJUQdvh6TNP TzXLOYkw8mAH3pxwuK/R6mcHmSbmptKBrka5bQMlKv7Heyq5UhWXb2e5eBUBWUta mEJDoMUakmPeuj/QVvY78q08zY3J4S5VKx1HcLASOSArEaBtcx2TVleZW2rJyI0u OH/0Weml3TOe4to6gGpIrp4E1ctJ4PmM/9htKw4WOcLKmAcesRvfO5TgccUb0j2y nr31odSEjxcRZNRNmx1/8ihWkI+qGe9Xx7kHJV1eDaEEtejF7Alctd4nTc2jRmYM Mq3J8Fq+jzGFgIAY6NlXkA1BVD7YLa4sPA1unfSYO4z5LAvqjhPVrAmlL92CD2F6 L5M2Wmlys20nQbwqw0P4HQefsiA0JMx9hOc8kWNm1CNVbpPyvO9h6xUh0EUXH60u BEbgtkWqjB2gK/01K+tovafLrsHhtE9fMRqoSLl+20h54IY0Rm7CFTEfq5zjrtIp 3eB96JcGEri6V55QDxX+bvBfyiUncs3Ys51dWKMvuasJ//QzM1cy9s8AAWMT+3P4 guO0ymTBTXWnsWIjoX8+fxFcKXdcxskCldQl7cQeVi6mVgu/kLSSSm4TOkUAmeIo 0qK8nv5BLazwg7VN/Osv13P4O4KaZvo5+oiUkFcm49YGcaCj7BG8D/UeP5GvK20T a3LgjCJGndQ= =Iila -----END PGP SIGNATURE-----