[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[BSA-041] Security Update for xml-security-c



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Russ Allbery uploaded new packages for xml-security-c which fixed the
following security problems:

CVE-2011-2516

    It has been discovered that xml-security-c, an implementation of the
    XML Digital Signature and Encryption specifications, is not properly
    handling RSA keys of sizes on the order of 8192 or more bits.  This
    allows an attacker to crash applications using this functionality or
    potentially execute arbitrary code by tricking an application into
    verifying a signature created with a sufficiently long RSA key.

For the lenny-backports distribution, this problem has been fixed in
1.5.1-3+squeeze1~bpo50+1.

We recommend that you upgrade your xml-security-c packages.

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>

We recommend to pin (in /etc/apt/preferences) the backports repository to
200 so that new versions of installed  backports will be installed
automatically. 

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJOPMQGAAoJEH2AMVxXNt51ZgMH/RLf6ZeTo2Lm5deQr1Dv9RQZ
/ul4zAarcfzT+FRPC3ijtHcQuEdc4jiSwGhhc6lWCNMVYnYCC5+FdQje88ATLMDX
O26HpiLEuWJnHcQkcEE4LI0FPjQBiE444BskXkJsYuwCAcW2V+RgsAhXgtcEnq7I
E111sqAjxbxEMimyCxdNifM1ryKiAbM3PuXf8fv0asCrJHd86LaG14YYwib3bQQS
d+hIelyDMeYXEH0CibzMEckWTi+HOAguTq5HdyQ+OD8749LgnXZzjDzC+KGYbmDw
k/1Ip/sC2MfEvXzlp2RHzxaVs8VNkUhR2VjFZEmasVCRtkGzVTAVtBYdK5x+Gd0=
=GlEV
-----END PGP SIGNATURE-----


Reply to: