ALAS-2017-890


Amazon Linux AMI Security Advisory: ALAS-2017-890
Advisory Release Date: 2017-09-14 22:19 Pacific
Severity: Medium
References: CVE-2017-1000061 

Issue Overview:

It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061 )


Affected Packages:

xmlsec1


Issue Correction:
Run yum update xmlsec1 to update your system.

New Packages:
i686:
    xmlsec1-openssl-1.2.20-7.4.amzn1.i686
    xmlsec1-gnutls-1.2.20-7.4.amzn1.i686
    xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686
    xmlsec1-nss-1.2.20-7.4.amzn1.i686
    xmlsec1-1.2.20-7.4.amzn1.i686
    xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686
    xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.i686

src:
    xmlsec1-1.2.20-7.4.amzn1.src

x86_64:
    xmlsec1-openssl-1.2.20-7.4.amzn1.x86_64
    xmlsec1-1.2.20-7.4.amzn1.x86_64
    xmlsec1-openssl-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-nss-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gnutls-1.2.20-7.4.amzn1.x86_64
    xmlsec1-nss-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-debuginfo-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gcrypt-1.2.20-7.4.amzn1.x86_64