Debian 5.0 Lenny DSA-1895-1 Urgent: Xmltooling RCE Vulnerability Advisory
debian
September 24, 2009
Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth: Chris Ries discovered that decoding a crafted URL leads to a crash (and
Summary
Several vulnerabilities have been discovered in the xmltooling packages,
as used by Shibboleth:
Chris Ries discovered that decoding a crafted URL leads to a crash (and
potentially, arbitrary code execution).
Ian Young discovered that embedded NUL characters in certificate names
were not correctly handled, exposing configurations using PKIX trust
validation to impersonation attacks.
Incorrect processing of SAML metadata ignores key usage constraints.
This minor issue also needs a correction in the opensaml2 packages,
which will be provided in an upcoming stable point release (and,
before that, via stable-proposed-updates).
For the stable distribution (lenny), these problems have been fixed in
version 1.0-2+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 1.2.2-1.
We recommend that you upgrade your xmltooling packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If y...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: xmltooling
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!