[BSA-041] Security Update for xml-security-c

2011-08-08T10:03:32
ID DEBIAN:BSA-041:43130
Type debian
Reporter Debian
Modified 2011-08-08T10:03:32

Description

Russ Allbery uploaded new packages for xml-security-c which fixed the following security problems:

CVE-2011-2516

It has been discovered that xml-security-c, an implementation of the
XML Digital Signature and Encryption specifications, is not properly
handling RSA keys of sizes on the order of 8192 or more bits.  This
allows an attacker to crash applications using this functionality or
potentially execute arbitrary code by tricking an application into
verifying a signature created with a sufficiently long RSA key.

For the lenny-backports distribution, this problem has been fixed in 1.5.1-3+squeeze1~bpo50+1.

We recommend that you upgrade your xml-security-c packages.

If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.debian.org/Instructions>

We recommend to pin (in /etc/apt/preferences) the backports repository to 200 so that new versions of installed backports will be installed automatically.

Package: * Pin: release a=lenny-backports Pin-Priority: 200