Russ Allbery uploaded new packages for opensaml and shibboleth-sp which fixed the following security problems:
Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: * Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). * Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks.
For the etch-backports distribution the problems have been fixed in version 1.3.1.dfsg1-3+lenny1~bpo40+1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1~bpo40+1 of the opensaml packages.
For the old stable distribution (etch), these problems have been fixed in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version 1.1a-2+etch1 of the opensaml packages.
For the stable distribution (lenny), these problems have been fixed in version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1 of the opensaml packages.
The unstable distribution (sid) does not contain Shibboleth 1.x packages.
This update requires restarting the affected services (mainly Apache) to become effective.
If you don't use pinning (http://backports.org/dokuwiki/doku.php?id=instructions) you have to update the package manually via apt-get -t etch-backports install <packagename>.
We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically.
Package: * Pin: release a=lenny-backports Pin-Priority: 200
-- Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/> Attachment: pgpNeqBtOS5Ch.pgp Description: PGP signature