Security Advisory Moderate: xml-security security update

Advisory: RHSA-2013:1219-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-09-09
Last updated on: 2013-09-09
Affected Products: JBoss Enterprise Web Platform 5 EL4
JBoss Enterprise Web Platform 5 EL5
JBoss Enterprise Web Platform 5 EL6
CVEs (cve.mitre.org): CVE-2013-2172

Details

An updated xml-security package that fixes one security issue is now
available for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux
4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Apache Santuario implements the XML Signature Syntax and Processing and XML
Encryption Syntax and Processing standards.

A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially-crafted XML signature block. (CVE-2013-2172)

Warning: Before applying this update, back up your existing Red Hat JBoss
Web Platform installation (including all applications and configuration
files).

All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux
4, 5, and 6 are advised to upgrade to this updated package. The JBoss
server process must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

JBoss Enterprise Web Platform 5 EL4

SRPMS:
xml-security-1.5.1-3_patch01.ep5.el4.src.rpm
File outdated by:  RHSA-2014:1728
    MD5: 429a35007921787c267703e2ab2d2611
SHA-256: 57d4e75b50d1b401f471efb2faed6ee20986dad8a72b7dda381418dad4d3a3ca
 
IA-32:
xml-security-1.5.1-3_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2014:1728
    MD5: 14a5adf387424e9c3ccc5236bdebbe22
SHA-256: f0f351a9cd2363783f8fa8a9b4c0cd8220dab2e0431e600e0fce2e58b034f3dc
 
x86_64:
xml-security-1.5.1-3_patch01.ep5.el4.noarch.rpm
File outdated by:  RHSA-2014:1728
    MD5: 14a5adf387424e9c3ccc5236bdebbe22
SHA-256: f0f351a9cd2363783f8fa8a9b4c0cd8220dab2e0431e600e0fce2e58b034f3dc
 
JBoss Enterprise Web Platform 5 EL5

SRPMS:
xml-security-1.5.1-3_patch01.ep5.el5.src.rpm
File outdated by:  RHSA-2014:1728
    MD5: 87cf5fda049b56ba68f09e8345f06db0
SHA-256: 434147d36a1bb2fc927cc508d7313fc780c2d87c39e4784927a956702ec6b265
 
IA-32:
xml-security-1.5.1-3_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2014:1728
    MD5: d8a776b7ccc657e2dc972940f132bc51
SHA-256: 936f57dcd9d6523ad03ef0d6767dabed2070744a1995451d823bdcc1c33e4bfa
 
x86_64:
xml-security-1.5.1-3_patch01.ep5.el5.noarch.rpm
File outdated by:  RHSA-2014:1728
    MD5: d8a776b7ccc657e2dc972940f132bc51
SHA-256: 936f57dcd9d6523ad03ef0d6767dabed2070744a1995451d823bdcc1c33e4bfa
 
JBoss Enterprise Web Platform 5 EL6

SRPMS:
xml-security-1.5.1-3_patch01.ep5.el6.src.rpm
File outdated by:  RHSA-2014:1728
    MD5: 3d1f40aca055b61210a63974d1b4de44
SHA-256: 2cc4ac4d13362d11b0bc95b96205ddff3cee4821841a0f2d2a24b548e7205b27
 
IA-32:
xml-security-1.5.1-3_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2014:1728
    MD5: bf02580981070d59539f710addab4523
SHA-256: 56e44cb8d9cafcca6fd9fb387ef4714ed65a709510da380495bfe7821ef12124
 
x86_64:
xml-security-1.5.1-3_patch01.ep5.el6.noarch.rpm
File outdated by:  RHSA-2014:1728
    MD5: bf02580981070d59539f710addab4523
SHA-256: 56e44cb8d9cafcca6fd9fb387ef4714ed65a709510da380495bfe7821ef12124
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

999263 - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/