Amazon Linux 1 Security Advisory: ALAS-2017-890
Advisory Release Date: 2017-09-13 22:22 Pacific
Advisory Updated Date: 2017-09-14 22:19 Pacific
It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061)
Affected Packages:
xmlsec1
Issue Correction:
Run yum update xmlsec1 to update your system.
i686:
xmlsec1-openssl-1.2.20-7.4.amzn1.i686
xmlsec1-gnutls-1.2.20-7.4.amzn1.i686
xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686
xmlsec1-nss-1.2.20-7.4.amzn1.i686
xmlsec1-1.2.20-7.4.amzn1.i686
xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686
xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686
xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686
xmlsec1-devel-1.2.20-7.4.amzn1.i686
xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686
xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.i686
src:
xmlsec1-1.2.20-7.4.amzn1.src
x86_64:
xmlsec1-openssl-1.2.20-7.4.amzn1.x86_64
xmlsec1-1.2.20-7.4.amzn1.x86_64
xmlsec1-openssl-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-nss-1.2.20-7.4.amzn1.x86_64
xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-gnutls-1.2.20-7.4.amzn1.x86_64
xmlsec1-nss-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-debuginfo-1.2.20-7.4.amzn1.x86_64
xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-gcrypt-1.2.20-7.4.amzn1.x86_64