ALAS-2017-890

Amazon Linux 1 Security Advisory: ALAS-2017-890
Advisory Release Date: 2017-09-13 22:22 Pacific
Advisory Updated Date: 2017-09-14 22:19 Pacific

Severity: Medium

References: CVE-2017-1000061
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061)

Affected Packages:

xmlsec1

Issue Correction:
Run yum update xmlsec1 to update your system.

New Packages:

i686:
    xmlsec1-openssl-1.2.20-7.4.amzn1.i686
    xmlsec1-gnutls-1.2.20-7.4.amzn1.i686
    xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686
    xmlsec1-nss-1.2.20-7.4.amzn1.i686
    xmlsec1-1.2.20-7.4.amzn1.i686
    xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686
    xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686
    xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.i686

src:
    xmlsec1-1.2.20-7.4.amzn1.src

x86_64:
    xmlsec1-openssl-1.2.20-7.4.amzn1.x86_64
    xmlsec1-1.2.20-7.4.amzn1.x86_64
    xmlsec1-openssl-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-nss-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gnutls-1.2.20-7.4.amzn1.x86_64
    xmlsec1-nss-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-debuginfo-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.x86_64
    xmlsec1-gcrypt-1.2.20-7.4.amzn1.x86_64

Additional References

Red Hat: CVE-2017-1000061

Mitre: CVE-2017-1000061