From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1947-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff December 07, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : shibboleth-sp, shibboleth-sp2, opensaml2
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3300
Matt Elder discovered that Shibboleth, a federated web single sign-on
system is vulnerable to script injection through redirection URLs. More
details can be found in the Shibboleth advisory at
http://shibboleth.internet2.edu/secadv/secadv_20091104.txt
For the old stable distribution (etch), this problem has been fixed in
version 1.3f.dfsg1-2+etch2 of shibboleth-sp.
For the stable distribution (lenny), this problem has been fixed in
version 1.3.1.dfsg1-3+lenny2 of shibboleth-sp, version 2.0.dfsg1-4+lenny2
of shibboleth-sp2 and version 2.0-2+lenny2 of opensaml2.
For the unstable distribution (sid), this problem has been fixed in
version 2.3+dfsg-1 of shibboleth-sp2, version 2.3-1 of opensaml2 and
version 1.3.1-1 of xmltooling.
We recommend that you upgrade your Shibboleth packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/s/shibboleth-sp/shibboleth-sp_1.3f.dfsg1-2+etch2.diff.gz
Size/MD5 checksum: 35169 ce866f75fd4a3e360bcf1f40328a6775
http://security.debian.org/pool/updates/main/s/shibboleth-sp/shibboleth-sp_1.3f.dfsg1.orig.tar.gz
Size/MD5 checksum: 731365 7aba8f84ff20013dea55a4a34306791a
http://security.debian.org/pool/updates/main/s/shibboleth-sp/shibboleth-sp_1.3f.dfsg1-2+etch2.dsc
Size/MD5 checksum: 957 4b81922200999d83b4e6e300dc4105b2
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-dev_1.3f.dfsg1-2+etch2_alpha.deb
Size/MD5 checksum: 599542 bc648aff189d0a1ab1cfaa8b552ca3c2
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-target5_1.3f.dfsg1-2+etch2_alpha.deb
Size/MD5 checksum: 218758 84f33e347e9905f7a8ea10f7ccefef38
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib6_1.3f.dfsg1-2+etch2_alpha.deb
Size/MD5 checksum: 81606 ff24f6a6f67605f54970d80effacbbdb
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libapache2-mod-shib_1.3f.dfsg1-2+etch2_alpha.deb
Size/MD5 checksum: 4220522 696dd0f5e47dc671cc975becf0de468f
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-dev_1.3f.dfsg1-2+etch2_amd64.deb
Size/MD5 checksum: 458596 74e93d23170bb31caebfe2ca129d07d0
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib6_1.3f.dfsg1-2+etch2_amd64.deb
Size/MD5 checksum: 78106 54e21b28a39741ed8e7174f1f461b36f
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libapache2-mod-shib_1.3f.dfsg1-2+etch2_amd64.deb
Size/MD5 checksum: 4016352 ed12fa9ff63849bbaebff10b69910042
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-target5_1.3f.dfsg1-2+etch2_amd64.deb
Size/MD5 checksum: 201502 99f8013c58e15a4e7f631c2b6163df80
arm architecture (ARM)
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-dev_1.3f.dfsg1-2+etch2_arm.deb
Size/MD5 checksum: 463996 e9b59a2da0e48c3c28d5cc6496fb610a
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-target5_1.3f.dfsg1-2+etch2_arm.deb
Size/MD5 checksum: 224674 443c6592e797a5f3029ddfc6e4d39b6e
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib6_1.3f.dfsg1-2+etch2_arm.deb
Size/MD5 checksum: 77274 eb8e738461d2ce57747d00c0372ccd0c
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libapache2-mod-shib_1.3f.dfsg1-2+etch2_arm.deb
Size/MD5 checksum: 3777924 c8fc18d5e616f85e3bf4be7e72660a6d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib6_1.3f.dfsg1-2+etch2_hppa.deb
Size/MD5 checksum: 91240 6d3bf6784f6c37ac33bd5c187ffff78f
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libapache2-mod-shib_1.3f.dfsg1-2+etch2_hppa.deb
Size/MD5 checksum: 4681852 45a47043bead90d8c5b4d7d055f3481c
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-target5_1.3f.dfsg1-2+etch2_hppa.deb
Size/MD5 checksum: 236856 9fcd23ec0055d336e830afbff9e0bfc4
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-dev_1.3f.dfsg1-2+etch2_hppa.deb
Size/MD5 checksum: 523584 39dae9be500d372f40d79cd173208c83
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-dev_1.3f.dfsg1-2+etch2_i386.deb
Size/MD5 checksum: 433480 4d36fe53ea41d60d8a9271a8283f982e
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib6_1.3f.dfsg1-2+etch2_i386.deb
Size/MD5 checksum: 76582 2e8ccdf193b826c7edea81d64928e306
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libshib-target5_1.3f.dfsg1-2+etch2_i386.deb
Size/MD5 checksum: 201376 43e1ccf246c06173bb0b726435f0d815
http://security.debian.org/pool/updates/main/s/shibboleth-sp/libapache2-mod-shib_1.3f.dfsg1-2+etch2_i386.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)