[USN-6274-1] XMLTooling vulnerability

Ian Constantin ian.constantin at canonical.com
Thu Aug 3 18:47:04 UTC 2023

Ubuntu Security Notice USN-6274-1
August 03, 2023

xmltooling vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)


XMLTooling could be made to allow for unintended server side actions
if it received specially crafted input.

Software Description:
- xmltooling: C++ XML parsing library with encryption support


Jurien de Jong discovered that XMLTooling did not properly handle certain
KeyInfo element content within an XML signature. An attacker could possibly
use this issue to achieve server-side request forgery.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
   libxmltooling6v5                1.5.6-2ubuntu0.3+esm1

After a standard system update you need to restart the
shibd process to make all the necessary changes.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20230803/b6822428/attachment.sig>

More information about the ubuntu-security-announce mailing list