[<prev] [next>] [day] [month] [year] [list]
Message-ID: <871vnuz5rh.fsf@mid.deneb.enyo.de>
Date: Sun, 02 Aug 2009 15:48:02 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1849-1] New xml-security-c packages fix signature forgery
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1849-1 security@...ian.org
http://www.debian.org/security/ Florian Weimer
August 02, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : xml-security-c
Vulnerability : design flaw
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0217
CERT advisory : VU#466161
It was discovered that the W3C XML Signature recommendation contains a
protocol-level vulnerability related to HMAC output truncation. This
update implements the proposed workaround in the C++ version of the
Apache implementation of this standard, xml-security-c, by preventing
truncation to output strings shorter than 80 bits or half of the
original HMAC output, whichever is greater.
For the old stable distribution (etch), this problem has been fixed in
version 1.2.1-3+etch1.
For the stable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny2.
For the unstable distribution (sid), this problem has been fixed in
version 1.4.0-4.
We recommend that you upgrade your xml-security-c packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.2.1.orig.tar.gz
Size/MD5 checksum: 2560698 c8cfd893e0d13c08e6cdffc1b02d431c
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.2.1-3+etch1.diff.gz
Size/MD5 checksum: 9397 eee96ead16c0fe740d1e323bde905830
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.2.1-3+etch1.dsc
Size/MD5 checksum: 798 7c376bd95337c43d4de11ea3a75a24f5
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-doc_1.2.1-3+etch1_all.deb
Size/MD5 checksum: 1845748 ee0ffa05b1b60925e38f3fca562a08eb
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_alpha.deb
Size/MD5 checksum: 119938 d31ec89d90362667221233b6296e4cb0
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_alpha.deb
Size/MD5 checksum: 312956 b2ad9dd61644639f572f4e1bcb00965d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_amd64.deb
Size/MD5 checksum: 291372 9c218c654a24213f98ba3222d8337f7a
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_amd64.deb
Size/MD5 checksum: 119084 020bfb03a4736b0478d645510d86953f
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_arm.deb
Size/MD5 checksum: 304896 b6c3dcda88a74d359218f220deaea2b5
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_arm.deb
Size/MD5 checksum: 120304 cd7487c6c571d6e0a002e3a2cd59e05e
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_hppa.deb
Size/MD5 checksum: 121356 f138d0eecdb09e5d06760fcb897332a8
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_hppa.deb
Size/MD5 checksum: 361032 f70bcaf5d4b9868fee5477c5e4681dab
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_i386.deb
Size/MD5 checksum: 293276 18d5996d062d21bd6af815c80bda5b1a
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_i386.deb
Size/MD5 checksum: 120864 b2a8f94634550d36369326943ed53baf
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_ia64.deb
Size/MD5 checksum: 119930 c3ceb9e692852962d25e708016a7a434
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_ia64.deb
Size/MD5 checksum: 350184 f15bfec431e30ada442c43be1f5a91ff
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_mips.deb
Size/MD5 checksum: 119942 bae859241d611a240ae5b9249f120f38
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_mips.deb
Size/MD5 checksum: 276032 7d5d2977f75703715df6f2adca648793
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_mipsel.deb
Size/MD5 checksum: 119946 e1f515b9ba927eba7545f1f70d8c8d64
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_mipsel.deb
Size/MD5 checksum: 266602 f498800151d86f9094b5cbefd1b7ad96
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_powerpc.deb
Size/MD5 checksum: 119950 2601f8c882c496450ef12932d946e4cd
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_powerpc.deb
Size/MD5 checksum: 295310 cfe7e0e8a0cc973f1d31b7c5e626b3fd
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_s390.deb
Size/MD5 checksum: 119926 e22f0b7723656aa4d290e0115d68de10
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_s390.deb
Size/MD5 checksum: 292112 326eff9008b42bc0a31e728a0a8bc610
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.2.1-3+etch1_sparc.deb
Size/MD5 checksum: 119836 c9f19d8e98ab76ea89b41e46b11d7036
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c12_1.2.1-3+etch1_sparc.deb
Size/MD5 checksum: 298112 bbbf2e5caba79d70ac1e90022bb6a9fb
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.4.0.orig.tar.gz
Size/MD5 checksum: 934876 dd9accf6727eb008dbf1dd674d5d4dcc
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.4.0-3+lenny2.dsc
Size/MD5 checksum: 1378 f29c4e9daf89733b4f5351b6832d30d1
http://security.debian.org/pool/updates/main/x/xml-security-c/xml-security-c_1.4.0-3+lenny2.diff.gz
Size/MD5 checksum: 6299 f9c531ccd6d81f8cdf1c3e1a14452ce9
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_alpha.deb
Size/MD5 checksum: 403536 2be5f3c78a7d136343f41db631f35dbf
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_alpha.deb
Size/MD5 checksum: 137174 3083a6152fe3503df12bded2d585bbac
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_amd64.deb
Size/MD5 checksum: 137140 cfda58e00bc0e4d0c0659bae97e8b618
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_amd64.deb
Size/MD5 checksum: 373934 df07b72b5b4c62e047771bacdb5362db
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_arm.deb
Size/MD5 checksum: 378166 d4b08d9ad7c4376d8365e77058007110
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_arm.deb
Size/MD5 checksum: 138626 92c35b8c5f7e224d55f4b0d0430f616d
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_armel.deb
Size/MD5 checksum: 305848 aacf870726bf8ab6ec17aaf7b0cdcfdf
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_armel.deb
Size/MD5 checksum: 140072 625c396cf269bf753511744d84e63182
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_hppa.deb
Size/MD5 checksum: 140120 c42442f8a13b412e76c26be15018452e
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_hppa.deb
Size/MD5 checksum: 417920 7d37c2e4a92bbf6d00a6a66e0bf79ec0
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_i386.deb
Size/MD5 checksum: 367904 5119c1cff8e8ca5a1e0378d6a7a993c6
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_i386.deb
Size/MD5 checksum: 139746 7ac6a75066e66941c015836bf249d2d5
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_ia64.deb
Size/MD5 checksum: 137162 ae3815bb28e9f541c6d465fa02ccb3ca
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_ia64.deb
Size/MD5 checksum: 443176 ab99f41436d699969a99e10c9b302fb5
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_mips.deb
Size/MD5 checksum: 137212 5f80e137ea0990adafcb95780c8ac40e
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_mips.deb
Size/MD5 checksum: 317060 e1cfbea0ebd764a7aa0cd3e036451ba3
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_mipsel.deb
Size/MD5 checksum: 137210 800e1daa075a066a3eddaf0d70109396
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_mipsel.deb
Size/MD5 checksum: 307406 b1a81ab15d51331594a012128626381d
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_powerpc.deb
Size/MD5 checksum: 139754 290d64a32f56eb8c937c0f980545dc92
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_powerpc.deb
Size/MD5 checksum: 394974 0a743cf7c858f323e2218782164ebd88
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_s390.deb
Size/MD5 checksum: 354552 a533a33dcde0fcfa971044b7937e6fde
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_s390.deb
Size/MD5 checksum: 137140 19a74b4629a160c17a16e1bd68d0d12e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny2_sparc.deb
Size/MD5 checksum: 361628 d35cd24bf41aedd439497e3bf6427466
http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny2_sparc.deb
Size/MD5 checksum: 139732 b88f0bb712cc35216fa05ae433f916d0
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKdZn9AAoJEL97/wQC1SS+XFoH/iCN4Qwy1N+78BXWdV37jPyu
L5KNYp1Qfkkf/RQKKZVCqdSiyCaYp/J/JVuJvVW0eoGsxcxS5xEb8qVdX6Hn0Xwe
l4h4QFsMXjHWxVLyY9H0rHFQWK3/qV3JHtN3mDpG5bA7QIzgm7zaTzaiJgV6Rdht
r7rXB3Gz/WPEElZsEbxL51Cv3CQPZ6Yrwt2En9VuhU2BjlP3xhxaRWcCJT7RRJof
QEPQpg0zPp9YyY1aoYrG/yE4BVecm4g5VQeXpIalNri0YSynVoTdxagd3T0izEw7
LyNXpRv/tOsjnMDwO8TNNjZS0/1z2FSRqLEW8EXxDOWwOBP4wmwJe1+xitl232c=
=hORs
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists