xml-security-2.1.7-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11693-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z xml-security-2.1.7-1.1 on GA media These are all security issues fixed in the xml-security-2.1.7-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11693 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-12400/ SUSE CVE CVE-2019-12400 page https://www.suse.com/security/cve/CVE-2021-40690/ SUSE CVE CVE-2021-40690 page openSUSE Tumbleweed xml-security-2.1.7-1.1 xml-security-javadoc-2.1.7-1.1 xml-security-2.1.7-1.1 as a component of openSUSE Tumbleweed xml-security-javadoc-2.1.7-1.1 as a component of openSUSE Tumbleweed In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4. CVE-2019-12400 openSUSE Tumbleweed:xml-security-2.1.7-1.1 openSUSE Tumbleweed:xml-security-javadoc-2.1.7-1.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12400.html CVE-2019-12400 All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. CVE-2021-40690 openSUSE Tumbleweed:xml-security-2.1.7-1.1 openSUSE Tumbleweed:xml-security-javadoc-2.1.7-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-40690.html CVE-2021-40690 https://bugzilla.suse.com/1193879 SUSE Bug 1193879