[xmlsec] New xmlsec 1.2.17 release
Aleksey Sanin
aleksey at aleksey.com
Thu Mar 31 16:51:07 PDT 2011
The new XML Security Library 1.2.17 release available at
the usual place:
http://www.aleksey.com/xmlsec/download.html
This release includes a fix for an important security issue
with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire):
When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element.
It is strongly recommended to upgrade to the new version of XML
Security Library as soon as possible. If the upgrade can not be
performed, you can do one of the following:
- Explicitly call xsltNewSecurityPrefs() in your application and
forbid any access to file system as it is done in the following
commits:
http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780
http://trac.webkit.org/changeset/79159
- Recompile xmlsec library with disabled xslt support using
./configure --without-libxslt command
- Disable XSLT transform if it is not used (see enabledUris field
in struct xmlSecTransformCtx)
Thanks to everyone for the contribution, patches and bug reports!
Aleksey Sanin
More information about the xmlsec
mailing list