[xmlsec] New xmlsec 1.2.17 release

Aleksey Sanin aleksey at aleksey.com
Thu Mar 31 16:51:07 PDT 2011

The new XML Security Library 1.2.17 release available at
the usual place:


This release includes a fix for an important security issue
with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire):

When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element.

It is strongly recommended to upgrade to the new version of XML
Security Library as soon as possible. If the upgrade can not be
performed, you can do one of the following:

- Explicitly call xsltNewSecurityPrefs() in your application and
   forbid any access to file system as it is done in the following


- Recompile xmlsec library with disabled xslt support using

   ./configure --without-libxslt command

- Disable XSLT transform if it is not used (see enabledUris field
   in struct xmlSecTransformCtx)

Thanks to everyone for the contribution, patches and bug reports!

Aleksey Sanin

More information about the xmlsec mailing list