[Backports-security-announce] Security Update for Shibboleth packages

To: backports-security-announce@lists.backports.org
Subject: [Backports-security-announce] Security Update for Shibboleth packages
From: Russ Allbery <rra@debian.org>
Date: Mon, 07 Dec 2009 19:01:09 -0800
Message-id: <[🔎] 87tyw25fuy.fsf@windlord.stanford.edu>
Reply-to: backports-users@lists.backports.org

Russ Allbery uploaded new packages for xmltooling, opensaml2,
shibboleth-sp2, and shibboleth-sp which fixed the following security
problems:
  
CVE-2009-3300

    The Shibboleth software includes code to perform arbitrary
    redirections and generates forms containing arbitrary destinations in
    certain cases.  The URLs used were not properly checked for certain
    kinds of cross-site scripting (XSS) attacks and are vulnerable to
    script injection and some related vulnerabilities.

    See http://shibboleth.internet2.edu/secadv/secadv_20091104.txt

The fix for the lenny-backports distribution requires updating all of
xmltooling, opensaml2, and shibboleth-sp2.  The problems have been fixed
in xmltooling 1.3.1-1~bpo50+1, opensaml2 2.3-1~bpo50+2, and shibboleth-sp2
2.3+dfsg-1~bpo50+1.

For the unstable and testing distributions, the problems have been fixed
in xmltooling 1.3.1-1, opensaml2 2.3-1, and shibboleth-sp2 2.3+dfsg-1.

For the stable (lenny) distribution, the problems have been fixed in
opensaml2 2.0-2+lenny2 and shibboleth-sp2 2.0.dfsg1-4+lenny2.  No update
to xmltooling is required for the stable distribution.

The older Shibboleth 1.x implementation which shipped with lenny and etch
is also affected.  For the etch-backports distribution, the problems have
been fixed in shibboleth-sp 1.3.1.dfsg1-3+lenny2~bpo40+1.

For the stable (lenny) distribution, the problems have been fixed in
shibboleth-sp 1.3.1.dfsg1-3+lenny2.

For the oldstable (etch) distribution, the problems have been fixed in
1.3f.dfsg1-2+etch2.
  
Upgrade instructions
--------------------

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.

We recommend to pin the backports repository to 200 so that new
versions of installed  backports will be installed automatically. 

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200

[1] <http://backports.org/dokuwiki/doku.php?id=instructions>

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Attachment: pgpsAAUkQVn4q.pgp
Description: PGP signature

Reply to:

Prev by Date: [Backports-security-announce] Security Update for dovecot
Previous by thread: [Backports-security-announce] Security Update for dovecot
Index(es):
- Date
- Thread