Scientific Linux Security Update : xmlsec1 on SL7.x x86_64 (20170821)

high Nessus Plugin ID 102677

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

Security Fix(es) :

- It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061)

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?7a984c3b

Plugin Details

Severity: High

ID: 102677

File Name: sl_20170821_xmlsec1_on_SL7_x.nasl

Version: 3.6

Type: local

Agent: unix

Published: 8/22/2017

Updated: 12/5/2022

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS v3

Risk Factor: High

Base Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:fermilab:scientific_linux:xmlsec1, p-cpe:/a:fermilab:scientific_linux:xmlsec1-debuginfo, p-cpe:/a:fermilab:scientific_linux:xmlsec1-devel, p-cpe:/a:fermilab:scientific_linux:xmlsec1-gcrypt, p-cpe:/a:fermilab:scientific_linux:xmlsec1-gcrypt-devel, p-cpe:/a:fermilab:scientific_linux:xmlsec1-gnutls, p-cpe:/a:fermilab:scientific_linux:xmlsec1-gnutls-devel, p-cpe:/a:fermilab:scientific_linux:xmlsec1-nss, p-cpe:/a:fermilab:scientific_linux:xmlsec1-nss-devel, p-cpe:/a:fermilab:scientific_linux:xmlsec1-openssl, p-cpe:/a:fermilab:scientific_linux:xmlsec1-openssl-devel, x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 8/21/2017

Vulnerability Publication Date: 7/17/2017

Reference Information

CVE: CVE-2017-1000061