Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 584
Alerts This Week
Warning Icon 1 584

Debian: DSA-1849-1 Critical: xml-security-c Signature Forgery Update

debian
Calendar Grey August 2, 2009
Scroller Debian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------
It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation

Summary

It was discovered that the W3C XML Signature recommendation contains a
protocol-level vulnerability related to HMAC output truncation. This
update implements the proposed workaround in the C++ version of the
Apache implementation of this standard, xml-security-c, by preventing
truncation to output strings shorter than 80 bits or half of the
original HMAC output, whichever is greater.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.1-3+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny2.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.0-4.

We recommend that you upgrade your xml-security-c packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Package: xml-security-c

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.