Wednesday, July 20, 2022

[USN-5525-1] Apache XML Security for Java vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGLGvrIBEADLhZXSZnoDtKkmUmncBTq46ZmO2noht7GEQKuLW90ybojVJWon
/ZU6B590pev9Nl+lSkGTU7d1ygWtYBxYGxWG1J2gKBjAdI5NlUUQi40ZBrtIK0To
6TX4BxPNZpa0LKIFs2MwxQ0aQRJZeglZcg4/ioQVW7hthEYsF19PDoqS+xygWWT9
OZ1Dml30tUiy65N8L3EHNiwIdmbPDJgDCNiqWZEFcmCDTzL7Kl/DrJ0Iao3F+E58
hy94VcJYQWhHC9esGZ1vlrStfb5/Iz3ExzNgE119apBy1nQ+32D5lDruQq4bhSLM
SV2Bvgo0+xQjOKnsWD15cicxyDQN/K6xtDDDR0t5L99Xga4Z4bAW3QHYVpCvBeeF
FSRJDQKsislThOFByWRUi983Dyq+TkbynV9RUgSR3ocndIDUH3g5jHUS6WHw5cn1
/grmh/6zpsr88cPRvNuK6dUn3Lh8H3XtOMyJWqN5NnAMChBSecxN72lTNc3JAxQA
T1tWDehZCNjSVREVpjPHHmcK9qx7g/mnHIOW8uga+bL8eSFt8v0l99/YO+s+Hukw
isr+fQvjnkcXIB8cUMxYqWGHIPCZwoouoo/PCh7S26h/Lvlhqlai7TWxPGmnknMs
ursvXo2fkg34l0rqc362F2wr7TFejMR0mvrO4O0Inmvl6e3AP3r87cX9nQARAQAB
zS1GYWJpYW4gVG9lcGZlciA8ZmFiaWFuLnRvZXBmZXJAY2Fub25pY2FsLmNvbT7C
wZQEEwEKAD4WIQTZaC2+bCZyBoQEuWcIC8rVC8PpIAUCYsa+sgIbAwUJA8JnAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIC8rVC8PpIFTDEACBAxSCsN0Ed+W/
WGmGivPul6pTEeY8Bj6KhkQK+AMmWOsFLtuXPW2rpo/lsp07yTi713XalUEo/VgZ
HFgYS/bpf9sjpV8+larOEbpaBqaKurri/s+rXHAs+Md6XA5NIo7rN4Ge5RLblxsL
v8Mn2unNNgohizAFZZdNTjEXgaakjTsvzDjMSoEG92ziB0q6MDrEiiRXz8Z84cD4
MqYthOspzV6v+gvBbG5S0PbuhYJfKdhgASzt5pgsuFEPfoMX0k5PYhlSPLBNOoMt
umTMdRUYFh8GGU0lxw+JmAj6J19LrOdLjVjBpQMi9PVd+3jmrz7JVv2TOxuaLg3V
m/qIAiS6UPHCqbWnDA/dgRRxldas+nvJiHm6NvUcV6US58Te3yLT/m6Ss6GOXxrv
piPZm2ce7gGU8mn58danFnhq8vt57oAmMXOwzzDAfM1WCGt47XmcGOCJRF7UZLdb
+fb74wkzWw7h2lEBpihVqzSrdwwXCDiPEDwH1zrDlQeZF4gfwP/vwTuJoo3f3mAV
CIbp5kswg9d3Hom1mtMRjNF5MzER+WJC27cbRffUyJ6U2hCiWHbNRM6n67wEz9qp
p68039KeqjLZ5LIsLOsl2DY6Nj3eQcGMJkDMCr/kv1/HroreuXkUke8CplfLHx5o
cnqWt26TxuNeGwpf58Qs+Ffu0mo44c7BTQRixr6yARAAuKo4KhmyztqMT/1OCTTm
jbK9ku0oy4exxeTDo/fqiT9wq2nM9aIC0/0pf7kFPGca7avAu0HPJWw5vZ6uRlsS
OMa5QGBGEeLVepnIXfPvXTOaF+6Z81sYftjSe+Nc1P+HjwpporE0xi33cyASY7Bs
o+Sc49kDg7v+Z8nyaGXaj2EVULE7mvMcrpUx+kkjDSDzJR2GXihivSX5eS7+10+c
X6J2G/U2DvSuqZXy0CDVxPn+pbv/WcU42qNe2xT/jkyDIyYQwyia0zrOMvDy8hd8
Oy/6scedu8VdRxcss8Q1R096SfIoYgYUAkIKz4iKM1hC1SrvzRhOmcFgiJWcI6zl
1fnKxb4l+dMXSZJd1gjE44mYL3Y2kivNWbSRUqZ1c1yQJQ+b55d6Ubap8aNahzDS
S4GTLjhp92vsjfNEnE5tvBuqVIwNYMyPBkdRy78obJ6VrDfVNx3eN1j+xpJ5xwy8
mA1wrKxxtFQFBkW2qGZupRscMOxj4f301BOPAPzKx+z5iAXL6JJh5SnmnszJdHy/
Kv5uEExbPL1xg2kPYxRrQOp8ncQ96hHz3ukOYTsSGXhnISiBaUAyO5MPojifyu3s
eueSiM00o4Xe/vO1HfimArqD3pZZTtlIUM/nr/V5bxbyJUWflIFey8bmoWUdqI50
Utw88Pe3os3+c7LQNsetWMMAEQEAAcLBfAQYAQoAJhYhBNloLb5sJnIGhAS5ZwgL
ytULw+kgBQJixr6yAhsMBQkDwmcAAAoJEAgLytULw+kgZCAQAJRD5sSd1qEOaNbh
EPd41UOaZz11oJSVaeRSLCWKte0f9onCC6NlJs/V9YTcrsEqbm0miVEQqGjDGSQj
XO0or/GVoOkoPR4Yg9SIlTN/rPmMx/tG02H4bnkYznxsIzIeYHlzltqNISZS0WYa
MXdkUs/gl6ZLzVuNZogZX5XMNYGnDsYkMdQoTDW5K1WsPl8QAuJnjO1ykbztMdkG
MuQAMlTE4DWEeomVMJLYEiaDOaoCLcbeKs4M2/K3PP0MGrYA9Ag4y6LOVVr+NHHa
KIew8+BBQNDmO4K6/R669sNpDZy80KU1IQxRPpPb0+RWlFxIsT5TccMvvXVtCUq9
9Oi3eOmKgBQoO/X9RZscEWcFR2yEcb0oafvGkSuvUpZeCXpuspAszItk2WV5hC63
I7xxbzwjeroFEpCecK7UyGIzNPus5x9s0pWpuLCxR9oZGjo46aLxBNRYIZbHjcFf
f8c0XVNOz4Khq7ZOjOK4sL84YhkeLUeotbfSYuQF6FWKuIto7jk9CcIfXBSCvWmc
7eRjZFyQJ6Vt5QVlUzyHK53Ownq7BSrl/nzUNKmEnTvS/3379P+jvlqZdCyjG7zV
jtHU29SueLjJCln01r/Xog+FIedsyp/uF5cEc4sqauF4cbyvEjlC+k+LyifNzbhP
QBQxRQ+QjhG3hEo1YimQrQmViRCf
=vcIR
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5525-1
July 20, 2022

libxml-security-java vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Apache XML Security for Java could be made to expose sensitive information.

Software Description:
- libxml-security-java: Apache XML Security for Java

Details:

It was discovered that Apache XML Security for Java incorrectly passed a
configuration property when creating specific key elements. This allows an
attacker to abuse an XPath Transform to extract sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
libxml-security-java 2.0.10-2+deb11u1build0.20.04.1

Ubuntu 18.04 LTS:
libxml-security-java 2.0.10-2~18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5525-1
CVE-2021-40690

Package Information:
https://launchpad.net/ubuntu/+source/libxml-security-java/2.0.10-2+deb11u1build0.20.04.1
https://launchpad.net/ubuntu/+source/libxml-security-java/2.0.10-2~18.04.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)