Russ Allbery uploaded new packages for xmltooling, opensaml2, shibboleth-sp2, and shibboleth-sp which fixed the following security problems: CVE-2009-3300 The Shibboleth software includes code to perform arbitrary redirections and generates forms containing arbitrary destinations in certain cases. The URLs used were not properly checked for certain kinds of cross-site scripting (XSS) attacks and are vulnerable to script injection and some related vulnerabilities. See http://shibboleth.internet2.edu/secadv/secadv_20091104.txt The fix for the lenny-backports distribution requires updating all of xmltooling, opensaml2, and shibboleth-sp2. The problems have been fixed in xmltooling 1.3.1-1~bpo50+1, opensaml2 2.3-1~bpo50+2, and shibboleth-sp2 2.3+dfsg-1~bpo50+1. For the unstable and testing distributions, the problems have been fixed in xmltooling 1.3.1-1, opensaml2 2.3-1, and shibboleth-sp2 2.3+dfsg-1. For the stable (lenny) distribution, the problems have been fixed in opensaml2 2.0-2+lenny2 and shibboleth-sp2 2.0.dfsg1-4+lenny2. No update to xmltooling is required for the stable distribution. The older Shibboleth 1.x implementation which shipped with lenny and etch is also affected. For the etch-backports distribution, the problems have been fixed in shibboleth-sp 1.3.1.dfsg1-3+lenny2~bpo40+1. For the stable (lenny) distribution, the problems have been fixed in shibboleth-sp 1.3.1.dfsg1-3+lenny2. For the oldstable (etch) distribution, the problems have been fixed in 1.3f.dfsg1-2+etch2. Upgrade instructions -------------------- If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200 [1] <http://backports.org/dokuwiki/doku.php?id=instructions> -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Attachment:
pgpsAAUkQVn4q.pgp
Description: PGP signature