Russ Allbery uploaded new packages for xml-security-c that fixed the
following security problems discovered by James Forshaw from Context
Information Security:


    The implementation of XML digital signatures in the Santuario-C++
    library is vulnerable to a spoofing issue allowing an attacker to
    reuse existing signatures with arbitrary content.


    A stack overflow, possibly leading to arbitrary code execution,
    exists in the processing of malformed XPointer expressions in the
    XML Signature Reference processing code.


    A bug in the processing of the output length of an HMAC-based XML
    Signature would cause a denial of service when processing specially
    chosen input.


    A heap overflow exists in the processing of the PrefixList attribute
    optionally used in conjunction with Exclusive Canonicalization,
    potentially allowing arbitary code execution.

For the squeeze-backports distribution, the problems have been fixed in
version 1.6.1-5+deb7u1~bpo60+1.

We recommend that you upgrade your xml-security-c packages, particularly
libxml-security-c16, if it was installed via backports.