Russ Allbery uploaded new packages for opensaml and shibboleth-sp which
fixed the following security problems:
DSA-1896-1
Several vulnerabilities have been discovered in the opensaml and
shibboleth-sp packages, as used by Shibboleth 1.x:
* Chris Ries discovered that decoding a crafted URL leads to a crash
(and potentially, arbitrary code execution).
* Ian Young discovered that embedded NUL characters in certificate
names were not correctly handled, exposing configurations using PKIX
trust validation to impersonation attacks.
For the etch-backports distribution the problems have been fixed in
version 1.3.1.dfsg1-3+lenny1~bpo40+1 of the shibboleth-sp packages, and
version 1.1.1-2+lenny1~bpo40+1 of the opensaml packages.
For the old stable distribution (etch), these problems have been fixed in
version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version
1.1a-2+etch1 of the opensaml packages.
For the stable distribution (lenny), these problems have been fixed in
version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version
1.1.1-2+lenny1 of the opensaml packages.
The unstable distribution (sid) does not contain Shibboleth 1.x packages.
This update requires restarting the affected services (mainly Apache) to
become effective.
Upgrade instructions
--------------------
If you don't use pinning
(http://backports.org/dokuwiki/doku.php?id=instructions) you have to
update the package manually via apt-get -t etch-backports install
<packagename>.
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Attachment:
pgpNeqBtOS5Ch.pgp
Description: PGP signature