[Backports-security-announce] Security update for opemsaml and shibboleth-sp

2009-09-29T21:46:53
ID DEBIAN:D171874386B8CC2C38A91DDA368D2E15:26003
Type debian
Reporter Debian
Modified 2009-09-29T21:46:53

Description

Russ Allbery uploaded new packages for opensaml and shibboleth-sp which fixed the following security problems:

DSA-1896-1

Several vulnerabilities have been discovered in the opensaml and
shibboleth-sp packages, as used by Shibboleth 1.x:

* Chris Ries discovered that decoding a crafted URL leads to a crash
  (and potentially, arbitrary code execution).

* Ian Young discovered that embedded NUL characters in certificate
  names were not correctly handled, exposing configurations using PKIX
  trust validation to impersonation attacks.

For the etch-backports distribution the problems have been fixed in version 1.3.1.dfsg1-3+lenny1~bpo40+1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1~bpo40+1 of the opensaml packages.

For the old stable distribution (etch), these problems have been fixed in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version 1.1a-2+etch1 of the opensaml packages.

For the stable distribution (lenny), these problems have been fixed in version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1 of the opensaml packages.

The unstable distribution (sid) does not contain Shibboleth 1.x packages.

This update requires restarting the affected services (mainly Apache) to become effective.

Upgrade instructions

If you don't use pinning (http://backports.org/dokuwiki/doku.php?id=instructions) you have to update the package manually via apt-get -t etch-backports install <packagename>.

We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically.

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

-- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/> Attachment: pgpNeqBtOS5Ch.pgp Description: PGP signature