-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1947-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
December 07, 2009                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : shibboleth-sp, shibboleth-sp2, opensaml2
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-3300

Matt Elder discovered that Shibboleth, a federated web single sign-on
system is vulnerable to script injection through redirection URLs. More
details can be found in the Shibboleth advisory at
 

For the old stable distribution (etch), this problem has been fixed in
version 1.3f.dfsg1-2+etch2 of shibboleth-sp.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.1.dfsg1-3+lenny2 of shibboleth-sp, version 2.0.dfsg1-4+lenny2
of shibboleth-sp2 and version 2.0-2+lenny2 of opensaml2.

For the unstable distribution (sid), this problem has been fixed in
version 2.3+dfsg-1 of shibboleth-sp2, version 2.3-1 of opensaml2 and
version 1.3.1-1 of xmltooling.

We recommend that you upgrade your Shibboleth packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:    35169 ce866f75fd4a3e360bcf1f40328a6775
      Size/MD5 checksum:   731365 7aba8f84ff20013dea55a4a34306791a
      Size/MD5 checksum:      957 4b81922200999d83b4e6e300dc4105b2

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   599542 bc648aff189d0a1ab1cfaa8b552ca3c2
      Size/MD5 checksum:   218758 84f33e347e9905f7a8ea10f7ccefef38
      Size/MD5 checksum:    81606 ff24f6a6f67605f54970d80effacbbdb
      Size/MD5 checksum:  4220522 696dd0f5e47dc671cc975becf0de468f

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   458596 74e93d23170bb31caebfe2ca129d07d0
      Size/MD5 checksum:    78106 54e21b28a39741ed8e7174f1f461b36f
      Size/MD5 checksum:  4016352 ed12fa9ff63849bbaebff10b69910042
      Size/MD5 checksum:   201502 99f8013c58e15a4e7f631c2b6163df80

arm architecture (ARM)

      Size/MD5 checksum:   463996 e9b59a2da0e48c3c28d5cc6496fb610a
      Size/MD5 checksum:   224674 443c6592e797a5f3029ddfc6e4d39b6e
      Size/MD5 checksum:    77274 eb8e738461d2ce57747d00c0372ccd0c
      Size/MD5 checksum:  3777924 c8fc18d5e616f85e3bf4be7e72660a6d

hppa architecture (HP PA RISC)

      Size/MD5 checksum:    91240 6d3bf6784f6c37ac33bd5c187ffff78f
      Size/MD5 checksum:  4681852 45a47043bead90d8c5b4d7d055f3481c
      Size/MD5 checksum:   236856 9fcd23ec0055d336e830afbff9e0bfc4
      Size/MD5 checksum:   523584 39dae9be500d372f40d79cd173208c83

i386 architecture (Intel ia32)

      Size/MD5 checksum:   433480 4d36fe53ea41d60d8a9271a8283f982e
      Size/MD5 checksum:    76582 2e8ccdf193b826c7edea81d64928e306
      Size/MD5 checksum:   201376 43e1ccf246c06173bb0b726435f0d815
      Size/MD5 checksum:  3717328 706787e36afd27879765043b36e21b67

ia64 architecture (Intel ia64)

      Size/MD5 checksum:  4282674 6cf33d6e7e648f927d7471c1e14faeda
      Size/MD5 checksum:   261082 42ecc6cb79ccaeb51ed216460854a6ef
      Size/MD5 checksum:   606936 ad107c7889b6d3656b09494956872099
      Size/MD5 checksum:    93558 e42b24b08c6724e038885bbb740b7ca8

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   188188 08e68a767cef9f6a17300355346ebb29
      Size/MD5 checksum:  3739418 16b2bbe8b61dcce84d0b59cd1deab413
      Size/MD5 checksum:   474312 0f630ad847bd524394fd8a2fb09a3bf6
      Size/MD5 checksum:    74468 fea5404f1e3c957dea0725a8dc592026

s390 architecture (IBM S/390)

      Size/MD5 checksum:  4882170 69ef571c49fc850cc72c2ece4034cc26
      Size/MD5 checksum:   431890 0dca24c94492a6315d1fdbec36084135
      Size/MD5 checksum:   202306 8ca8e9ef70f686c74bb847872e4aec48
      Size/MD5 checksum:    78436 a282913025fea52ca355b0ccd3eaae59

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:  4013874 821e9b9bc96fef947d18f6784d3b1854
      Size/MD5 checksum:    78344 50dc4f9244ac311dca6bfbc81214c978
      Size/MD5 checksum:   416304 13ca14493e80f0ff8e7f94ccdb660abf
      Size/MD5 checksum:   209108 ecb31ca29a9d247d212a63df040d9a64

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:     7717 be1470ec19b079abbea465c586a6db9c
      Size/MD5 checksum:     1450 ae583eaffa9dc2ab9fc37f15bfbf9817
      Size/MD5 checksum:    34141 89b96ed5094e36c9da588f2fe0c815d9
      Size/MD5 checksum:    17174 b9b0333f56c573d4a7f9bf608cbc4a89
      Size/MD5 checksum:   705058 85968f3c72cb789b11c9d01209e4d46b
      Size/MD5 checksum:     1672 7cef2a57583d84e46a214475c4a25393
      Size/MD5 checksum:   761686 996ac4370cd8cb91528169c1e2c337b6
      Size/MD5 checksum:     1601 b7d6efd2896e7e3cee6463c14c23b122
      Size/MD5 checksum:   726871 836fccbf614fc8edfc1fdbefcf0ba489

Architecture independent packages:

      Size/MD5 checksum:   365940 551bf56b7ca0618a515b4cde3c9046c7
      Size/MD5 checksum:    25680 681338ca7d060ab79c9f26527902d8dc
      Size/MD5 checksum:   258520 39b8bdad69f6bfa31730c459da5b575c
      Size/MD5 checksum:    15434 4f601fe9b3886b22316a141e01e707a6

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   575686 69d92528ea88a49b28931fc0fd3653f7
      Size/MD5 checksum:    84258 4de37104dcc335289e01785cd85d4c85
      Size/MD5 checksum:   218348 8f31cca573d9e3158458c7ec76a09e88
      Size/MD5 checksum:  4126894 3eaf35288a38c8d14e4c72340661a594
      Size/MD5 checksum:   241522 385e1e70d3b296c97bf34783c2cf173f
      Size/MD5 checksum:   941354 123fbab68a88df7843839b0406345488
      Size/MD5 checksum:    39842 d8c15efea7f3d01bd06b6197a8920235

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   228568 dc4196ddec55f46b1a8eac7185b88a48
      Size/MD5 checksum:    81744 a55299c3b74a93da9a592dac059b01c9
      Size/MD5 checksum:    44592 4b419a7302251bc7b4692d66bff18528
      Size/MD5 checksum:   840692 1ff155d1f8cd16aa3a84aa8efb1193e9
      Size/MD5 checksum:   201410 8edd3a696833973b204a6d71dcdab807
      Size/MD5 checksum:    39838 ab0ae6d0efddc77e13f9bd4c5310c542
      Size/MD5 checksum:    28440 9bb20149248ac6f087e4cc43646d1f8c
      Size/MD5 checksum:   456000 b8ca326fcf83b65d8dca6e9784f53066
      Size/MD5 checksum:  1192090 7803aa94b252c6ea8f0fbbb85c5daa2a
      Size/MD5 checksum:  3836116 2a44bac39c2cb29039c56cbb95e5786a

arm architecture (ARM)

      Size/MD5 checksum:   228470 71a7c3343665c48ede56d46a0c262221
      Size/MD5 checksum:   455568 ea8a41453fc01b7bdfa1c9071327333c
      Size/MD5 checksum:    77508 7117b5f842db50750bb549fce98b19f9
      Size/MD5 checksum:  3581714 51dd8fdf617457b087d06ca7a5736a94
      Size/MD5 checksum:    44828 c311aa275750cfd43afd388b153e8416
      Size/MD5 checksum:   214548 f3defb04bd5965851b36ac8d6cb3d151
      Size/MD5 checksum:    27214 d88ee290fdfd74f37e64f04805cfcc18
      Size/MD5 checksum:    40368 586a3581ca90e7e7ee0e88c146687e62
      Size/MD5 checksum:  1164554 1f88ecccc1c33e3faab2b3f7a4452dd7
      Size/MD5 checksum:   946436 ed86edf1c11e206e5d032bb5181ad50a

armel architecture (ARM EABI)

      Size/MD5 checksum:   205908 0e0678da76fed65ae488470dfe10a0c9
      Size/MD5 checksum:   476654 f6d54f691090bf50254dbd386c6d769c
      Size/MD5 checksum:    69910 ba99d299af96261c579e25e66908abab
      Size/MD5 checksum:   770344 b86196f10236b070b803cd4471f4c423
      Size/MD5 checksum:    45088 c339ef2f9f15e520e82a1d51bfd95aae
      Size/MD5 checksum:    24718 db0f484a05d4122d24f8545975c15326
      Size/MD5 checksum:  1036358 67b6c4e429c5e111b0ec13efb45d7882
      Size/MD5 checksum:    40430 f90d19f99a707de0b382b8e9e4b1e198
      Size/MD5 checksum:  3558576 c47ab3119943a9566da8ddc09ca660f1
      Size/MD5 checksum:   185672 3882aafaf772ec0efef1467d73423aee

hppa architecture (HP PA RISC)

      Size/MD5 checksum:    44690 179fd0ce973904e527a4689d4277394f
      Size/MD5 checksum:  1028004 fda64b9c3d563d0ca69ab75589df9537
      Size/MD5 checksum:  1390048 f4c926a6071013c7036a80e26f28fa11
      Size/MD5 checksum:    29416 8464d0da9c99a042352cb2d3283e7ea8
      Size/MD5 checksum:  4490366 9f2d49bb26c07d0590a267a956d0ecd6
      Size/MD5 checksum:   233514 553109e5fe95a921708fa43c2f390ae1
      Size/MD5 checksum:   537212 1c245ff84054296d0ed17e927a306ee0
      Size/MD5 checksum:   251682 24496f3bc7ab7f61814a11c926c5df9b
      Size/MD5 checksum:    88700 8cb6c26058a0a110af40ceb8b5390467
      Size/MD5 checksum:    40654 dd810fe55b07f82ceb95bf9ea836e3ea

i386 architecture (Intel ia32)

      Size/MD5 checksum:    39896 92ee9791f3230e4ea0af774d21f94168
      Size/MD5 checksum:   830196 69baa4d5223c2de49c11efb1f5221a60
      Size/MD5 checksum:  1083380 5172f568a27adc2bed46aa20f676dff5
      Size/MD5 checksum:  3517742 7a113810a43f06c3d6a3c5dab6e07016
      Size/MD5 checksum:    44708 2ed6b07d9ef09967812b79e897034310
      Size/MD5 checksum:   199976 baa7d28e34b5fde83cc018b5a5d4c15a
      Size/MD5 checksum:    78690 03c98f8a8ab9c46c51211cf03477a596
      Size/MD5 checksum:   220864 e29f350428d1b68225d7c8ba7cd3a1ae
      Size/MD5 checksum:    27222 139eb0bb1b4509126eb0f314bd06b3c6
      Size/MD5 checksum:   424062 813d3d51730c919ce8cce2619e8cb7a4

ia64 architecture (Intel ia64)

      Size/MD5 checksum:  1141736 e154e2940d769255c27812c88e6008ef
      Size/MD5 checksum:   617516 446aab21fce2d72a0329aaacb13b0218
      Size/MD5 checksum:    39822 c1d1672a1133ef3dc3e06bb35d44178a
      Size/MD5 checksum:    44824 3860e662f447487c2d9bf8205456aece
      Size/MD5 checksum:   257036 30475f72472985773c1865ac17bd3c89
      Size/MD5 checksum:  4090302 8b6a05199dc1320125556dfc7926fae4
      Size/MD5 checksum:   272332 83c9fa6e5604e602c3bc4f14a06eeae5
      Size/MD5 checksum:    33502 4eed857b2d83a40e68d93e98ade6abc8
      Size/MD5 checksum:    95656 89ebd5d71ad2b141d236d8c9b6a43903
      Size/MD5 checksum:  1490970 713ad5906467e5b90cc4a3f53f0744f3

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:    44844 6b456d8c52239872cbd9f5542bff784b
      Size/MD5 checksum:    73664 f41bdb4eb005b8625dea2e409364ff87
      Size/MD5 checksum:  1193866 808245a31a56eabf2c0e5709b8fd2428
      Size/MD5 checksum:   470078 540998727df1f5c9428313f758cf884a
      Size/MD5 checksum:    39848 87bd4c93eb79695af218c0808a09e35a
      Size/MD5 checksum:   215272 4860e20d43c86f2735a31f44670618ec
      Size/MD5 checksum:    26668 62fb10d72d7ed01330fccf10286bbe6a
      Size/MD5 checksum:   184228 4e33ed1450dc3e80bebe4ba6e77a838b
      Size/MD5 checksum:   777292 e1e41bc61eccd7ecaea9584d38bf58e6
      Size/MD5 checksum:  3850956 d5f8bcc45254c4ef6d92d080556291b5

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   182718 51b45846a45e5e82cc9e19c945a90ea5
      Size/MD5 checksum:    26546 86462ca5f14e03a354f66d78a2d2cd26
      Size/MD5 checksum:   213836 5ea221d730e499c8d119fadae2a10cf4
      Size/MD5 checksum:   767516 609ed9d94b80fc8de162755940085083
      Size/MD5 checksum:    39856 260898221c2f3d98aa4d2feea9dd8c79
      Size/MD5 checksum:    44834 4888af4ae1674af7cb9f3ad0bc8ed08d
      Size/MD5 checksum:  3558410 71a2d6eeaf4f098991037d9591960959
      Size/MD5 checksum:   465932 0b83d1e7850c8db7bbe6ba6910f277ec
      Size/MD5 checksum:    72646 d9d3544bf7737fd39c05fa581d7a0d09
      Size/MD5 checksum:  1090376 cd526c5cebb53ccce2328f082daa74c7

powerpc architecture (PowerPC)

      Size/MD5 checksum:   204176 7cb6fb9fb3236cc8511d651c775d073e
      Size/MD5 checksum:   460872 1447cb90c1f474fd61cc9983cfa556d3
      Size/MD5 checksum:    87052 d313378dd667914afa23fe31b6c05ee3
      Size/MD5 checksum:  4448862 2f5163953f563c2f019c1dbc9bab43dc

s390 architecture (IBM S/390)

      Size/MD5 checksum:  1233568 235630e792f502b5c37faae115045df9
      Size/MD5 checksum:   428186 103147901d6a2cfaeff2035ff2c28288
      Size/MD5 checksum:   197704 27ec7c3bd31a449d20da04226b6e468c
      Size/MD5 checksum:    44804 cd801280cf417fae3e179ef4fe3a66e1
      Size/MD5 checksum:   848578 de7ce789ecb6c16795b931402f0b1660
      Size/MD5 checksum:  4723822 97ac517c81a1d4dab7935a2be919cca7
      Size/MD5 checksum:    80696 92acd50da0e8385d15aae03ffc1a0d02
      Size/MD5 checksum:   229200 2441d31d47eabc618d623d32d7e13b5d
      Size/MD5 checksum:    39816 1cc5bd0bd313ca10b6da5724c48731c4
      Size/MD5 checksum:    28226 f4847e4e43da82482df59db35202f2d2

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:  3816108 f57bba921d5e899118e7fe8f5bb23f65
      Size/MD5 checksum:    27342 3c40d8e2de20d5dcc598bd710af5656b
      Size/MD5 checksum:    40232 c2d60a1f8c2b5796274c15e4ca5a10ed
      Size/MD5 checksum:    79978 ad93d7013e82d2a3c00989bd52fb5439
      Size/MD5 checksum:    44848 8c6c3a8de0ab991d34114ee39bf2f3db
      Size/MD5 checksum:   206984 57e6d5d73e1d1e7751471c0759fa5977
      Size/MD5 checksum:   218028 7424acce24e5c5c0017d04030e176377
      Size/MD5 checksum:  1344914 a1fab1a73f632b64a8cd65d253716481
      Size/MD5 checksum:  1009372 037974812670103391815dd83fa3e0fa
      Size/MD5 checksum:   408546 720bec76be68d6ed4300c38c125745e1


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/