Aleksey Sanin

**Name of the Vulnerable Software and Affected Versions** xmlsec1 versions prior to 1.2.17 xmlsec1-openssl versions 1.2.6 through 1.2.9 xmlsec1-openssl-devel versions 1.2.6 through 1.2.9 xmlsec1-gnutls versions 1.2.9 xmlsec1-gnutls-devel versions 1.2.9 xmlsec1-nss versions 1.2.9 xmlsec1-nss-devel versions 1.2.9 xmlsec1-devel versions 1.2.6 through 1.2.9 **Description** The issue may lead to a breach of confidentiality, integrity, and availability of protected information. It can be exploited remotely. The vulnerability is related to the XSLT feature in the XML Security Library, which allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification. **Recommendations** For xmlsec1 versions prior to 1.2.17, update to version 1.2.17 or later. For xmlsec1-openssl versions 1.2.6 through 1.2.9, update to version 1.2.17 or later. For xmlsec1-openssl-devel versions 1.2.6 through 1.2.9, update to version 1.2.17 or later. For xmlsec1-gnutls versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-gnutls-devel versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-nss versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-nss-devel versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-devel versions 1.2.6 through 1.2.9, update to version 1.2.17 or later. As a temporary workaround, consider disabling the XSLT feature until a patch is available.