Russ Allbery uploaded new packages for opensaml and shibboleth-sp which fixed the following security problems: DSA-1896-1 Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: * Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). * Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. For the etch-backports distribution the problems have been fixed in version 1.3.1.dfsg1-3+lenny1~bpo40+1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1~bpo40+1 of the opensaml packages. For the old stable distribution (etch), these problems have been fixed in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version 1.1a-2+etch1 of the opensaml packages. For the stable distribution (lenny), these problems have been fixed in version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1 of the opensaml packages. The unstable distribution (sid) does not contain Shibboleth 1.x packages. This update requires restarting the affected services (mainly Apache) to become effective. Upgrade instructions -------------------- If you don't use pinning (http://backports.org/dokuwiki/doku.php?id=instructions) you have to update the package manually via apt-get -t etch-backports install <packagename>. We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200 -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Attachment:
pgpNeqBtOS5Ch.pgp
Description: PGP signature