Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Debian: New xml-security-c packages fix signature forgery Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1849-1                                   Florian Weimer
August 02, 2009             
- ------------------------------------------------------------------------

Package        : xml-security-c
Vulnerability  : design flaw
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2009-0217
CERT advisory  : VU#466161

It was discovered that the W3C XML Signature recommendation contains a
protocol-level vulnerability related to HMAC output truncation.  This
update implements the proposed workaround in the C++ version of the
Apache implementation of this standard, xml-security-c, by preventing
truncation to output strings shorter than 80 bits or half of the
original HMAC output, whichever is greater.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.1-3+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny2.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.0-4.

We recommend that you upgrade your xml-security-c packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:
    Size/MD5 checksum:  2560698 c8cfd893e0d13c08e6cdffc1b02d431c
    Size/MD5 checksum:     9397 eee96ead16c0fe740d1e323bde905830
    Size/MD5 checksum:      798 7c376bd95337c43d4de11ea3a75a24f5

Architecture independent packages:
    Size/MD5 checksum:  1845748 ee0ffa05b1b60925e38f3fca562a08eb

alpha architecture (DEC Alpha)
    Size/MD5 checksum:   119938 d31ec89d90362667221233b6296e4cb0
    Size/MD5 checksum:   312956 b2ad9dd61644639f572f4e1bcb00965d

amd64 architecture (AMD x86_64 (AMD64))
    Size/MD5 checksum:   291372 9c218c654a24213f98ba3222d8337f7a
    Size/MD5 checksum:   119084 020bfb03a4736b0478d645510d86953f

arm architecture (ARM)
    Size/MD5 checksum:   304896 b6c3dcda88a74d359218f220deaea2b5
    Size/MD5 checksum:   120304 cd7487c6c571d6e0a002e3a2cd59e05e

hppa architecture (HP PA RISC)
    Size/MD5 checksum:   121356 f138d0eecdb09e5d06760fcb897332a8
    Size/MD5 checksum:   361032 f70bcaf5d4b9868fee5477c5e4681dab

i386 architecture (Intel ia32)
    Size/MD5 checksum:   293276 18d5996d062d21bd6af815c80bda5b1a
    Size/MD5 checksum:   120864 b2a8f94634550d36369326943ed53baf

ia64 architecture (Intel ia64)
    Size/MD5 checksum:   119930 c3ceb9e692852962d25e708016a7a434
    Size/MD5 checksum:   350184 f15bfec431e30ada442c43be1f5a91ff

mips architecture (MIPS (Big Endian))
    Size/MD5 checksum:   119942 bae859241d611a240ae5b9249f120f38
    Size/MD5 checksum:   276032 7d5d2977f75703715df6f2adca648793

mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:   119946 e1f515b9ba927eba7545f1f70d8c8d64
    Size/MD5 checksum:   266602 f498800151d86f9094b5cbefd1b7ad96

powerpc architecture (PowerPC)
    Size/MD5 checksum:   119950 2601f8c882c496450ef12932d946e4cd
    Size/MD5 checksum:   295310 cfe7e0e8a0cc973f1d31b7c5e626b3fd

s390 architecture (IBM S/390)
    Size/MD5 checksum:   119926 e22f0b7723656aa4d290e0115d68de10
    Size/MD5 checksum:   292112 326eff9008b42bc0a31e728a0a8bc610

sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:   119836 c9f19d8e98ab76ea89b41e46b11d7036
    Size/MD5 checksum:   298112 bbbf2e5caba79d70ac1e90022bb6a9fb

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:
    Size/MD5 checksum:   934876 dd9accf6727eb008dbf1dd674d5d4dcc
    Size/MD5 checksum:     1378 f29c4e9daf89733b4f5351b6832d30d1
    Size/MD5 checksum:     6299 f9c531ccd6d81f8cdf1c3e1a14452ce9

alpha architecture (DEC Alpha)
    Size/MD5 checksum:   403536 2be5f3c78a7d136343f41db631f35dbf
    Size/MD5 checksum:   137174 3083a6152fe3503df12bded2d585bbac

amd64 architecture (AMD x86_64 (AMD64))
    Size/MD5 checksum:   137140 cfda58e00bc0e4d0c0659bae97e8b618
    Size/MD5 checksum:   373934 df07b72b5b4c62e047771bacdb5362db

arm architecture (ARM)
    Size/MD5 checksum:   378166 d4b08d9ad7c4376d8365e77058007110
    Size/MD5 checksum:   138626 92c35b8c5f7e224d55f4b0d0430f616d

armel architecture (ARM EABI)
    Size/MD5 checksum:   305848 aacf870726bf8ab6ec17aaf7b0cdcfdf
    Size/MD5 checksum:   140072 625c396cf269bf753511744d84e63182

hppa architecture (HP PA RISC)
    Size/MD5 checksum:   140120 c42442f8a13b412e76c26be15018452e
    Size/MD5 checksum:   417920 7d37c2e4a92bbf6d00a6a66e0bf79ec0

i386 architecture (Intel ia32)
    Size/MD5 checksum:   367904 5119c1cff8e8ca5a1e0378d6a7a993c6
    Size/MD5 checksum:   139746 7ac6a75066e66941c015836bf249d2d5

ia64 architecture (Intel ia64)
    Size/MD5 checksum:   137162 ae3815bb28e9f541c6d465fa02ccb3ca
    Size/MD5 checksum:   443176 ab99f41436d699969a99e10c9b302fb5

mips architecture (MIPS (Big Endian))
    Size/MD5 checksum:   137212 5f80e137ea0990adafcb95780c8ac40e
    Size/MD5 checksum:   317060 e1cfbea0ebd764a7aa0cd3e036451ba3

mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:   137210 800e1daa075a066a3eddaf0d70109396
    Size/MD5 checksum:   307406 b1a81ab15d51331594a012128626381d

powerpc architecture (PowerPC)
    Size/MD5 checksum:   139754 290d64a32f56eb8c937c0f980545dc92
    Size/MD5 checksum:   394974 0a743cf7c858f323e2218782164ebd88

s390 architecture (IBM S/390)
    Size/MD5 checksum:   354552 a533a33dcde0fcfa971044b7937e6fde
    Size/MD5 checksum:   137140 19a74b4629a160c17a16e1bd68d0d12e

sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:   361628 d35cd24bf41aedd439497e3bf6427466
    Size/MD5 checksum:   139732 b88f0bb712cc35216fa05ae433f916d0

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.