Several vulnerabilities have been discovered in the xmltooling packages,
as used by Shibboleth:
- Chris Ries discovered that decoding a crafted URL leads to a crash (and
potentially, arbitrary code execution).
- Ian Young discovered that embedded NUL characters in certificate names
were not correctly handled, exposing configurations using PKIX trust
validation to impersonation attacks.
- Incorrect processing of SAML metadata ignores key usage constraints.
This minor issue also needs a correction in the opensaml2 packages,
which will be provided in an upcoming stable point release (and,
before that, via stable-proposed-updates).
For the stable distribution (lenny), these problems have been fixed in
version 1.0-2+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 1.2.2-1.
We recommend that you upgrade your xmltooling packages.