ID de Prueba:	1.3.6.1.4.1.25623.1.0.880823
Categoría:	CentOS Local Security Checks
Título:	CentOS Update for xmlsec1 CESA-2009:1428 centos5 i386
Resumen:	The remote host is missing an update for the 'xmlsec1'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'xmlsec1' package(s) announced via the referenced advisory. Vulnerability Insight: The XML Security Library is a C library based on libxml2 and OpenSSL. It implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards. HMAC is used for message authentication using cryptographic hash functions. The HMAC algorithm allows the hash output to be truncated (as documented in RFC 2104). A missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification. (CVE-2009-0217) Users of xmlsec1 should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, applications that use the XML Security Library must be restarted for the update to take effect. Affected Software/OS: xmlsec1 on CentOS 5 Solution: Please install the updated packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-0217 AIX APAR: PK80596 http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere AIX APAR: PK80627 http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html BugTraq ID: 35671 http://www.securityfocus.com/bid/35671 Cert/CC Advisory: TA09-294A http://www.us-cert.gov/cas/techalerts/TA09-294A.html Cert/CC Advisory: TA10-159B http://www.us-cert.gov/cas/techalerts/TA10-159B.html CERT/CC vulnerability note: VU#466161 http://www.kb.cert.org/vuls/id/466161 Debian Security Information: DSA-1995 (Google Search) http://www.debian.org/security/2010/dsa-1995 https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml HPdes Security Advisory: HPSBUX02476 http://marc.info/?l=bugtraq&m=125787273209737&w=2 HPdes Security Advisory: SSRT090250 http://www.mandriva.com/security/advisories?name=MDVSA-2009:209 http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html Microsoft Security Bulletin: MS10-041 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041 http://osvdb.org/55895 http://osvdb.org/55907 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717 RedHat Security Advisories: RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html RedHat Security Advisories: RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html RedHat Security Advisories: RHSA-2009:1428 https://rhn.redhat.com/errata/RHSA-2009-1428.html RedHat Security Advisories: RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html RedHat Security Advisories: RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html RedHat Security Advisories: RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html RedHat Security Advisories: RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html http://www.redhat.com/support/errata/RHSA-2009-1694.html http://www.securitytracker.com/id?1022561 http://www.securitytracker.com/id?1022567 http://www.securitytracker.com/id?1022661 http://secunia.com/advisories/34461 http://secunia.com/advisories/35776 http://secunia.com/advisories/35852 http://secunia.com/advisories/35853 http://secunia.com/advisories/35854 http://secunia.com/advisories/35855 http://secunia.com/advisories/35858 http://secunia.com/advisories/36162 http://secunia.com/advisories/36176 http://secunia.com/advisories/36180 http://secunia.com/advisories/36494 http://secunia.com/advisories/37300 http://secunia.com/advisories/37671 http://secunia.com/advisories/37841 http://secunia.com/advisories/38567 http://secunia.com/advisories/38568 http://secunia.com/advisories/38695 http://secunia.com/advisories/38921 http://secunia.com/advisories/41818 http://secunia.com/advisories/60799 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1 SuSE Security Announcement: SUSE-SA:2009:053 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html SuSE Security Announcement: SUSE-SA:2010:017 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html https://usn.ubuntu.com/826-1/ http://www.ubuntu.com/usn/USN-903-1 http://www.vupen.com/english/advisories/2009/1900 http://www.vupen.com/english/advisories/2009/1908 http://www.vupen.com/english/advisories/2009/1909 http://www.vupen.com/english/advisories/2009/1911 http://www.vupen.com/english/advisories/2009/2543 http://www.vupen.com/english/advisories/2009/3122 http://www.vupen.com/english/advisories/2010/0366 http://www.vupen.com/english/advisories/2010/0635
Copyright	Copyright (C) 2011 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.