Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1849-1] New xml-security-c packages fix signature forge

From Florian Weimer@1:229/2 to All on Sun Aug 2 15:50:11 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1849-1 [email protected] http://www.debian.org/security/ Florian Weimer
August 02, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xml-security-c
Vulnerability : design flaw
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0217
CERT advisory : VU#466161

It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This
update implements the proposed workaround in the C++ version of the
Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the
original HMAC output, whichever is greater.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.1-3+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny2.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.0-4.

We recommend that you upgrade your xml-security-c packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.2.1.orig.tar.gz
Size/MD5 checksum: 2560698 c8cfd893e0d13c08e6cdffc1b02d431c
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.2.1-3+etch1.diff.gz
Size/MD5 checksum: 9397 eee96ead16c0fe740d1e323bde905830
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.2.1-3+etch1.dsc
Size/MD5 checksum: 798 7c376bd95337c43d4de11ea3a75a24f5

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-doc_1.2.1-3+etch1_all.deb
Size/MD5 checksum: 1845748 ee0ffa05b1b60925e38f3fca562a08eb

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_alpha.deb
Size/MD5 checksum: 119938 d31ec89d90362667221233b6296e4cb0
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_alpha.deb
Size/MD5 checksum: 312956 b2ad9dd61644639f572f4e1bcb00965d

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_amd64.deb
Size/MD5 checksum: 291372 9c218c654a24213f98ba3222d8337f7a
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_amd64.deb
Size/MD5 checksum: 119084 020bfb03a4736b0478d645510d86953f

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_arm.deb
Size/MD5 checksum: 304896 b6c3dcda88a74d359218f220deaea2b5
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_arm.deb
Size/MD5 checksum: 120304 cd7487c6c571d6e0a002e3a2cd59e05e

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_hppa.deb
Size/MD5 checksum: 121356 f138d0eecdb09e5d06760fcb897332a8
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_hppa.deb
Size/MD5 checksum: 361032 f70bcaf5d4b9868fee5477c5e4681dab

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_i386.deb
Size/MD5 checksum: 293276 18d5996d062d21bd6af815c80bda5b1a
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_i386.deb
Size/MD5 checksum: 120864 b2a8f94634550d36369326943ed53baf

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_ia64.deb
Size/MD5 checksum: 119930 c3ceb9e692852962d25e708016a7a434
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_ia64.deb
Size/MD5 checksum: 350184 f15bfec431e30ada442c43be1f5a91ff

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_mips.deb
Size/MD5 checksum: 119942 bae859241d611a240ae5b9249f120f38
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_mips.deb
Size/MD5 checksum: 276032 7d5d2977f75703715df6f2adca648793

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_mipsel.deb
Size/MD5 checksum: 119946 e1f515b9ba927eba7545f1f70d8c8d64
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_mipsel.deb
Size/MD5 checksum: 266602 f498800151d86f9094b5cbefd1b7ad96

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_powerpc.deb
Size/MD5 checksum: 119950 2601f8c882c496450ef12932d946e4cd
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_powerpc.deb
Size/MD5 checksum: 295310 cfe7e0e8a0cc973f1d31b7c5e626b3fd

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_s390.deb
Size/MD5 checksum: 119926 e22f0b7723656aa4d290e0115d68de10
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_s390.deb
Size/MD5 checksum: 292112 326eff9008b42bc0a31e728a0a8bc610

sparc architecture (Sun SPARC/UltraSPARC)

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	146:53:32
Calls:	12,091
Calls today:	4
Files:	15,000
Messages:	6,517,518

[SECURITY] [DSA 1849-1] New xml-security-c packages fix signature forge

Who's Online

Recent Visitors

System Info