RHEL 7 : xmlsec1 (RHSA-2017:2492)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for xmlsec1 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

XML Security Library is a C library based on LibXML2 and OpenSSL. The
library was created with a goal to support major XML security
standards 'XML Digital Signature' and 'XML Encryption'.

Security Fix(es) :

* It was discovered xmlsec1's use of libxml2 inadvertently enabled
external entity expansion (XXE) along with validation. An attacker
could craft an XML file that would cause xmlsec1 to try and read local
files or HTTP/FTP URLs, leading to information disclosure or denial of
service. (CVE-2017-1000061)

See also :

http://rhn.redhat.com/errata/RHSA-2017-2492.html
https://www.redhat.com/security/data/cve/CVE-2017-1000061.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 102634 ()

Bugtraq ID:

CVE ID: CVE-2017-1000061

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now