[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Backports-security-announce] Security Update for Shibboleth packages



Russ Allbery uploaded new packages for xmltooling, opensaml2,
shibboleth-sp2, and shibboleth-sp which fixed the following security
problems:
  
CVE-2009-3300

    The Shibboleth software includes code to perform arbitrary
    redirections and generates forms containing arbitrary destinations in
    certain cases.  The URLs used were not properly checked for certain
    kinds of cross-site scripting (XSS) attacks and are vulnerable to
    script injection and some related vulnerabilities.

    See http://shibboleth.internet2.edu/secadv/secadv_20091104.txt

The fix for the lenny-backports distribution requires updating all of
xmltooling, opensaml2, and shibboleth-sp2.  The problems have been fixed
in xmltooling 1.3.1-1~bpo50+1, opensaml2 2.3-1~bpo50+2, and shibboleth-sp2
2.3+dfsg-1~bpo50+1.

For the unstable and testing distributions, the problems have been fixed
in xmltooling 1.3.1-1, opensaml2 2.3-1, and shibboleth-sp2 2.3+dfsg-1.

For the stable (lenny) distribution, the problems have been fixed in
opensaml2 2.0-2+lenny2 and shibboleth-sp2 2.0.dfsg1-4+lenny2.  No update
to xmltooling is required for the stable distribution.

The older Shibboleth 1.x implementation which shipped with lenny and etch
is also affected.  For the etch-backports distribution, the problems have
been fixed in shibboleth-sp 1.3.1.dfsg1-3+lenny2~bpo40+1.

For the stable (lenny) distribution, the problems have been fixed in
shibboleth-sp 1.3.1.dfsg1-3+lenny2.

For the oldstable (etch) distribution, the problems have been fixed in
1.3f.dfsg1-2+etch2.
  
Upgrade instructions
--------------------

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.

We recommend to pin the backports repository to 200 so that new
versions of installed  backports will be installed automatically. 

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200

[1] <http://backports.org/dokuwiki/doku.php?id=instructions>

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Attachment: pgpYOW2kx0wRn.pgp
Description: PGP signature


Reply to: