From owner at bugs.debian.org Sat Jun 1 08:06:09 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 01 Jun 2013 08:06:09 +0000 Subject: Processed: tagging as pending bugs that are closed by packages in NEW References: <20130601080344.43A0586E4123@elida.v7w.com> Message-ID: Processing commands for control at bugs.debian.org: > # Saturday 1 June 08:03:28 UTC 2013 > # Tagging as pending bugs that are closed by packages in NEW > # http://ftp-master.debian.org/new.html > # > # Source package in NEW: libtest-lwp-useragent-perl > tags 708280 + pending Bug #708280 [wnpp] ITP: libtest-lwp-useragent-perl -- a LWP::UserAgent suitable for simulating and testing network calls Added tag(s) pending. > # Source package in NEW: ruby-jbuilder > tags 694708 + pending Bug #694708 [wnpp] ITP: ruby-jbuilder -- A ruby gem that gives a simple DSL for declaring JSON structure. Added tag(s) pending. > # Source package in NEW: shibboleth-sp2 > tags 666804 + pending Bug #666804 [shibboleth-sp2] shibboleth-sp2: sourceful transition towards Apache 2.4 Added tag(s) pending. > # Source package in NEW: shibboleth-sp2 > tags 685069 + pending Bug #685069 [shibboleth-sp2] Please package Shibboleth 2.5 for experimental Added tag(s) pending. > # Source package in NEW: ruby-gon > tags 703185 + pending Bug #703185 [wnpp] ITP: ruby-gon -- Ruby library to send data to JavaScript from a Ruby application Added tag(s) pending. > End of message, stopping processing here. Please contact me if you need assistance. -- 666804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666804 685069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685069 694708: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694708 703185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703185 708280: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708280 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From ftpmaster at ftp-master.debian.org Sat Jun 1 10:01:10 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sat, 01 Jun 2013 10:01:10 +0000 Subject: shibboleth-sp2_2.5.1+dfsg-1_i386.changes ACCEPTED into experimental, experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 31 May 2013 16:09:24 -0700 Source: shibboleth-sp2 Binary: libapache2-mod-shib2 libshibsp6 libshibsp-dev libshibsp-doc shibboleth-sp2-schemas Architecture: source i386 all Version: 2.5.1+dfsg-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libapache2-mod-shib2 - Federated web single sign-on system (Apache module) libshibsp-dev - Federated web single sign-on system (development) libshibsp-doc - Federated web single sign-on system (API docs) libshibsp6 - Federated web single sign-on system (runtime) shibboleth-sp2-schemas - Federated web single sign-on system (schemas) Closes: 666804 685069 Changes: shibboleth-sp2 (2.5.1+dfsg-1) experimental; urgency=low . * New upstream release. (Closes: #685069) - Support for Apache 2.4. Please note there are some configuration incompabilities between Apache 2.4 and Apache 2.2. See the upstream documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig for more information. (Closes: #666804) - Disable the PKCS 1.5 algorithm for SAML assertion encryption by default for security reasons. This can be re-enabled if necessary in the security-policy.xml configuration file. - The protocol between the Apache module and shibd has changed. shibd will be restarted during upgrades, but if the module is configured to talk to a remote shibd over TCP, both the module and shibd must be upgraded at the same time. - Settings to limit redirections have been renamed from relayStateLimit and relayStateWhitelist to redirectLimit and redirectWhitelist respectively and the old names are deprecated (but still supported). - cookieProps has been simplified and warnings introduced if SSL restrictions are not enabled. - The element that loads the attribute-map.xml file now defaults to reloadChanges="false". Restarting the SP when this file changes is recommended for security reasons. - Logging properties have been removed from the default configuration file and the absence of properties now indicates use of the default logging configuration files (shibd.logger and native.logger). - The native.log file is now created as root before Apache child initialization to minimize permission issues. - Files that persist across server restarts have been moved to /var/cache/shibboleth. - The example style sheet for error templates has been moved to a version-independent location in /usr/share/shibboleth. A logo file is no longer included in the package to avoid accidental use of the Shibboleth logo on production sites. If your existing error templates reference these files, you should correct this by copying files that you need to locations that you control. - The module should now be referenced as mod_shib.cpp in conditionals that want to reference a source file name. - Clients that bounce between IPv4 and IPv6 addresses should now be handled more smoothly. - SP initialization now fails if an external session cache is configured but cannot be opened. * Update libapache2-mod-shib2's README.Debian: - Use the Apache 2.4 authorization syntax. - Mention possibly having to grant access to /Shibboleth.sso. - The module is now enabled by default but still needs configuration. - Update the upstream configuration documentation URL. - The reason for switching native.logger to syslog is now obsolete (but the package still does that, possibly to be reconsidered later). * Remove the (undefined) warn_log destination from the default native.logger configuration file, restoring consistency with the Debian modification to log to syslog. Since all native logs go to syslog, there's no need to have differentiated log destinations based on threshold. The previous version of the file referenced a commented-out warn_log destination, which caused errors to be spammed to syslog. * Build with GSS-API support. * Build and install FastCGI programs in /usr/lib//shibboleth. For right now, these are still included in libapache2-mod-shib2, which makes them substantially less useful than they would be in their own package. Further work is required to allow the FastCGI programs plus shibd to be installed independent of the Apache module. * Add build dependency on libboost-dev. * Use log4shib instead of log4cpp. * Force build dependencies and package dependencies on xml-security-c 1.7 or later, xmltooling 1.5 or later, and opensaml2 2.5 or later to ensure everything is consistent. * Remove explicit build dependency on libtool. This is now handled by dh-autoreconf. * Add Multi-Arch: same to libshibsp-dev and Multi-Arch: foreign to libshibsp-doc and shibboleth-sp2-schemas. * Remove Conflicts with libapache2-mod-shib. lenny is dead. * Fix the libshibsp-doc package name in the Suggests on libshibsp-dev and remove the nonstandard version constraint. * Install the upstream doc/RELEASE.txt file as the upstream changelog. It's not exactly a changelog, but it has pointers to the upstream web documentation of changes, which is probably what people are looking for. * Drop postinst code to handle upgrades from the Shibboleth 1.x module, which was last included in lenny. * Switch to xz compression for the repackaged upstream source, *.debian.tar, and the *.deb packages. * Update upstream Homepage. * Canonicalize the URLs in the Vcs-Git and Vcs-Browser control fields. * Update standards version to 3.9.4. - Update debian/copyright to specify copyright-format 1.0. Checksums-Sha1: 303c0301495fc5d0114afcb80acb1a1c1b9b0f3d 2271 shibboleth-sp2_2.5.1+dfsg-1.dsc 87c0a142c73690c78cf9fcb56160b275f68a3e88 570464 shibboleth-sp2_2.5.1+dfsg.orig.tar.xz 1cf0009c8e038735bce8ea92e61ec93923193fd2 22820 shibboleth-sp2_2.5.1+dfsg-1.debian.tar.xz d7f1f196dc5070984217abd7e98eed27865a1d46 260484 libapache2-mod-shib2_2.5.1+dfsg-1_i386.deb db6ca0bfd9d6d3bbffac5f1c18e1631daf2122d9 838192 libshibsp6_2.5.1+dfsg-1_i386.deb 81d10e57bce6db3661724abb3c0c1d7989e61eda 50302 libshibsp-dev_2.5.1+dfsg-1_i386.deb c68d2117a3fe50feafb27c55379a9a85abb6f764 258242 libshibsp-doc_2.5.1+dfsg-1_all.deb 1da92d514487bc11ed766a1e277481514fcf36b0 25592 shibboleth-sp2-schemas_2.5.1+dfsg-1_all.deb Checksums-Sha256: 2e40796602a0b7310c72afb8743652ae702c9ea0f83236d3c6addfe25c63bbc3 2271 shibboleth-sp2_2.5.1+dfsg-1.dsc 0da5c613b234701d1162940eac64a4c9d0d8b80ffde28d7a5a15502f74d42428 570464 shibboleth-sp2_2.5.1+dfsg.orig.tar.xz d5a2927569f884d6f2de2b79034872c551a2c6f7ac18d89f01fa10e47d580b18 22820 shibboleth-sp2_2.5.1+dfsg-1.debian.tar.xz c9268f418ebe54a583987d1873ac56beed754f65325f0127a60a6d7bf1426e89 260484 libapache2-mod-shib2_2.5.1+dfsg-1_i386.deb 39d6fbb506a197b35cadd3228b604cf16aee1f375766caa1af51b940056270e4 838192 libshibsp6_2.5.1+dfsg-1_i386.deb cedf20d40f9ffb27c57346e42ab6c6b7f892a37814f5059b40b3df6a80607202 50302 libshibsp-dev_2.5.1+dfsg-1_i386.deb 5d1c8fb83a134268cb31553b2e5efeb22f01a956f20f15e37f7e222b986d7cbc 258242 libshibsp-doc_2.5.1+dfsg-1_all.deb 8e3a830e23035d0a2faecfe83e4ef5f0a9de91ac44eb47309a258cf15ba40be8 25592 shibboleth-sp2-schemas_2.5.1+dfsg-1_all.deb Files: 37ca7192535041220ee0163ecd04c347 2271 web extra shibboleth-sp2_2.5.1+dfsg-1.dsc c4be5599dfc7d7a6b5206c11e9437762 570464 web extra shibboleth-sp2_2.5.1+dfsg.orig.tar.xz 33066ec85b723ff9d19b472c1bc4540e 22820 web extra shibboleth-sp2_2.5.1+dfsg-1.debian.tar.xz f621eeaae6f0a01414c5efc971cd7687 260484 httpd extra libapache2-mod-shib2_2.5.1+dfsg-1_i386.deb d49e2529374b620b68d188ec682c6590 838192 libs extra libshibsp6_2.5.1+dfsg-1_i386.deb ba2a21c0018b0a40bcec9b38f5ba7ec8 50302 libdevel extra libshibsp-dev_2.5.1+dfsg-1_i386.deb 2eca1613dd8638710cd6a5c50aaf0445 258242 doc extra libshibsp-doc_2.5.1+dfsg-1_all.deb ec02e1b0b596ed21c014f954f0cf9e9d 25592 text extra shibboleth-sp2-schemas_2.5.1+dfsg-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRqTCPAAoJEH2AMVxXNt51xeMH/R4upEl7/FLlP42nf2iyXfYP RoLg0Vl5Nldd4v0YdL0ZE2xpJwy6T0wHpP568vhvwPM8Dv/whOK1qH5jmJv8s8mw zJG5jE2mT8wANbJtRMAOLBNAGDk08oTl/dzGj2iL0sAS/KdPDuXbdYXH9jueNEMo Sf7pVx06G0lJqYvzvxsTH4vpY30D6LW7e7UDVR+ZzkooxwbDPET4Og+Ubm+KTCqP AnrN7FTmYiRYyjntFZr0WTICwhL28+fYCSq3mkhOfnQHtFsguYd32peogNdB7CCu +Qi4sYKT1uggPX1GgnJhy3eR1C9mlsPGbYfQYgsaW8jQdDOny1/9UCF6mpxaahw= =s1Kk -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Sat Jun 1 10:03:05 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 01 Jun 2013 10:03:05 +0000 Subject: Bug#666804: marked as done (shibboleth-sp2: sourceful transition towards Apache 2.4) References:

Message-ID: Your message dated Sat, 01 Jun 2013 10:01:10 +0000 with message-id and subject line Bug#666804: fixed in shibboleth-sp2 2.5.1+dfsg-1 has caused the Debian Bug report #666804, regarding shibboleth-sp2: sourceful transition towards Apache 2.4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 666804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666804 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: arno at debian.org Subject: shibboleth-sp2: sourceful transition towards Apache 2.4 Date: Sun, 01 Apr 2012 21:15:52 +0000 Size: 4587 URL: -------------- next part -------------- An embedded message was scrubbed... From: Russ Allbery Subject: Bug#666804: fixed in shibboleth-sp2 2.5.1+dfsg-1 Date: Sat, 01 Jun 2013 10:01:10 +0000 Size: 11424 URL: From owner at bugs.debian.org Sat Jun 1 10:03:09 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 01 Jun 2013 10:03:09 +0000 Subject: Bug#685069: marked as done (Please package Shibboleth 2.5 for experimental) References: <20120816105516.4470.42403.reportbug@aviv.rz.uni-konstanz.de> Message-ID: Your message dated Sat, 01 Jun 2013 10:01:10 +0000 with message-id and subject line Bug#685069: fixed in shibboleth-sp2 2.5.1+dfsg-1 has caused the Debian Bug report #685069, regarding Please package Shibboleth 2.5 for experimental to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 685069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685069 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Daniel Scharon Subject: Please package Shibboleth 2.5 for experimental Date: Thu, 16 Aug 2012 12:55:16 +0200 Size: 2430 URL: -------------- next part -------------- An embedded message was scrubbed... From: Russ Allbery Subject: Bug#685069: fixed in shibboleth-sp2 2.5.1+dfsg-1 Date: Sat, 01 Jun 2013 10:01:10 +0000 Size: 11449 URL: From rra at debian.org Tue Jun 18 04:36:30 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:30 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit e9979b64411d5ce700a7029548918e2813654142 Merge: ffc25eee079170afdfa288bfabb4affbbc668f39 faf40d76b8142e959e85e9667064672d911cd878 Author: Russ Allbery Date: Mon Jun 17 20:35:31 2013 -0700 Merge tag 'upstream/1.7.1' Upstream version 1.7.1 -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:31 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:31 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 226df214ffe082a3161e7f4b4ad32ece91e653e3 Author: Russ Allbery Date: Mon Jun 17 20:37:32 2013 -0700 Add changelog for upstream 1.7.1 release diff --git a/debian/changelog b/debian/changelog index 7d04a22..1f203de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +xml-security-c (1.7.1-1) UNRELEASED; urgency=high + + * New upstream release. + - Fix a spoofing vulnerability that allows an attacker to reuse + existing signatures with arbitrary content. (CVE-2013-2153) + - Fix a stack overflow in the processing of malformed XPointer + expressions in the XML Signature Reference processing code. + (CVE-2013-2154) + - Fix processing of the output length of an HMAC-based XML Signature + that could cause a denial of service when processing specially + chosen input. (CVE-2013-2155) + - Fix a heap overflow in the processing of the PrefixList attribute + optionally used in conjunction with Exclusive Canonicalization, + potentially allowing arbitary code execution. (CVE-2013-2156) + - Reduce entity expansion limits when parsing. + + -- Russ Allbery Mon, 17 Jun 2013 20:37:26 -0700 + xml-security-c (1.7.0-1) experimental; urgency=low * New upstream release. -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:30 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:30 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit faf40d76b8142e959e85e9667064672d911cd878 Author: Russ Allbery Date: Mon Jun 17 20:35:29 2013 -0700 Imported Upstream version 1.7.1 diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 5bb30c6..8fc01ec 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,8 @@ +Changes since 1.7.0 +===================================== +* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156 +* Reduced entity expansion limits when parsing + Changes since 1.6.1 ===================================== * [SANTUARIO-314] - AES-GCM support diff --git a/Makefile.in b/Makefile.in index 77bb459..338c203 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.12.2 from Makefile.am. +# Makefile.in generated by automake 1.12.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2012 Free Software Foundation, Inc. @@ -74,7 +74,7 @@ DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \ $(top_srcdir)/build-aux/ltmain.sh \ $(top_srcdir)/build-aux/missing $(top_srcdir)/configure \ $(top_srcdir)/xsec/framework/XSECConfig.hpp.in \ - build-aux/config.guess build-aux/config.sub \ + build-aux/config.guess build-aux/config.sub build-aux/depcomp \ build-aux/install-sh build-aux/ltmain.sh build-aux/missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_pthread.m4 \ @@ -618,9 +618,9 @@ distcheck: dist *.zip*) \ unzip $(distdir).zip ;;\ esac - chmod -R a-w $(distdir); chmod u+w $(distdir) - mkdir $(distdir)/_build - mkdir $(distdir)/_inst + chmod -R a-w $(distdir) + chmod u+w $(distdir) + mkdir $(distdir)/_build $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ diff --git a/NOTICE.txt b/NOTICE.txt index 7189fd1..69617c7 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Apache Santuario XML-Security-C Library -Copyright 2010-2011 The Apache Software Foundation +Copyright 2010-2013 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff --git a/aclocal.m4 b/aclocal.m4 index 6d3cddd..20a34ef 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.12.2 -*- Autoconf -*- +# generated automatically by aclocal 1.12.6 -*- Autoconf -*- # Copyright (C) 1996-2012 Free Software Foundation, Inc. @@ -25,8 +25,6 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 8 - # AM_AUTOMAKE_VERSION(VERSION) # ---------------------------- # Automake X.Y traces this macro to ensure aclocal.m4 has been @@ -36,7 +34,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.12' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.12.2], [], +m4_if([$1], [1.12.6], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -52,7 +50,7 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.12.2])dnl +[AM_AUTOMAKE_VERSION([1.12.6])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) @@ -65,8 +63,6 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 2 - # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets # $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to # '$srcdir', '$srcdir/..', or '$srcdir/../..'. @@ -120,8 +116,6 @@ am_aux_dir=`cd $ac_aux_dir && pwd` # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 10 - # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- # Define a conditional. @@ -153,7 +147,6 @@ fi])]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 17 # There are a few dirty hacks below to avoid letting 'AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, @@ -345,7 +338,6 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 6 # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ @@ -422,8 +414,6 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 19 - # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. @@ -575,8 +565,6 @@ echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_co # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 8 - # AM_PROG_INSTALL_SH # ------------------ # Define $install_sh. @@ -598,8 +586,6 @@ AC_SUBST([install_sh])]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 2 - # Check whether the underlying file-system supports filenames # with a leading dot. For instance MS-DOS doesn't. AC_DEFUN([AM_SET_LEADING_DOT], @@ -621,8 +607,6 @@ AC_SUBST([am__leading_dot])]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 5 - # AM_MAKE_INCLUDE() # ----------------- # Check to see how make treats includes. @@ -673,8 +657,6 @@ rm -f confinc confmf # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 7 - # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ AC_DEFUN([AM_MISSING_PROG], @@ -682,7 +664,6 @@ AC_DEFUN([AM_MISSING_PROG], $1=${$1-"${am_missing_run}$2"} AC_SUBST($1)]) - # AM_MISSING_HAS_RUN # ------------------ # Define MISSING if not defined so far and test if it supports --run. @@ -715,8 +696,6 @@ fi # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 6 - # _AM_MANGLE_OPTION(NAME) # ----------------------- AC_DEFUN([_AM_MANGLE_OPTION], @@ -748,8 +727,6 @@ AC_DEFUN([_AM_IF_OPTION], # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 9 - # AM_SANITY_CHECK # --------------- AC_DEFUN([AM_SANITY_CHECK], @@ -831,8 +808,6 @@ rm -f conftest.file # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 2 - # AM_PROG_INSTALL_STRIP # --------------------- # One issue with vendor 'install' (even GNU) is that you can't @@ -861,8 +836,6 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 - # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. @@ -882,8 +855,6 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 - # _AM_PROG_TAR(FORMAT) # -------------------- # Check how to create a tarball in format FORMAT. diff --git a/build-aux/depcomp b/build-aux/depcomp index debb6ff..e1f51f4 100755 --- a/build-aux/depcomp +++ b/build-aux/depcomp @@ -1,7 +1,7 @@ #! /bin/sh # depcomp - compile a program generating dependencies as side-effects -scriptversion=2012-03-27.16; # UTC +scriptversion=2012-07-12.20; # UTC # Copyright (C) 1999-2012 Free Software Foundation, Inc. @@ -74,6 +74,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.$[^.]*$$/.T\1/'`} rm -f "$tmpdepfile" +# Avoid interferences from the environment. +gccflag= dashmflag= + # Some modes work just like other modes, but use different flags. We # parameterize here, but still list the modes in the big case below, # to make depend.m4 easier to write. Note that we *cannot* use a case @@ -108,7 +111,7 @@ if test "$depmode" = msvc7msys; then fi if test "$depmode" = xlc; then - # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency informations. + # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information. gccflag=-qmakedep=gcc,-MF depmode=gcc fi @@ -142,13 +145,17 @@ gcc3) ;; gcc) +## Note that this doesn't just cater to obsosete pre-3.x GCC compilers. +## but also to in-use compilers like IMB xlc/xlC and the HP C compiler. +## (see the conditional assignment to $gccflag above). ## There are various ways to get dependency output from gcc. Here's ## why we pick this rather obscure method: ## - Don't want to use -MD because we'd like the dependencies to end ## up in a subdir. Having to rename by hand is ugly. ## (We might end up doing this anyway to support other compilers.) ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like -## -MM, not -M (despite what the docs say). +## -MM, not -M (despite what the docs say). Also, it might not be +## supported by the other compilers which use the 'gcc' depmode. ## - Using -M directly means running the compiler twice (even worse ## than renaming). if test -z "$gccflag"; then @@ -334,6 +341,79 @@ icc) rm -f "$tmpdepfile" ;; +## The order of this option in the case statement is important, since the +## shell code in configure will try each of these formats in the order +## listed in this file. A plain '-MD' option would be understood by many +## compilers, so we must ensure this comes after the gcc and icc options. +pgcc) + # Portland's C compiler understands '-MD'. + # Will always output deps to 'file.d' where file is the root name of the + # source file under compilation, even if file resides in a subdirectory. + # The object file name does not affect the name of the '.d' file. + # pgcc 10.2 will output + # foo.o: sub/foo.c sub/foo.h + # and will wrap long lines using '\' : + # foo.o: sub/foo.c ... \ + # sub/foo.h ... \ + # ... + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + # Use the source, not the object, to determine the base name, since + # that's sadly what pgcc will do too. + base=`echo "$source" | sed -e 's|^.*/||' -e 's/\.[-_a-zA-Z0-9]*$//'` + tmpdepfile="$base.d" + + # For projects that build the same source file twice into different object + # files, the pgcc approach of using the *source* file root name can cause + # problems in parallel builds. Use a locking strategy to avoid stomping on + # the same $tmpdepfile. + lockdir="$base.d-lock" + trap "echo '$0: caught signal, cleaning up...' >&2; rm -rf $lockdir" 1 2 13 15 + numtries=100 + i=$numtries + while test $i -gt 0 ; do + # mkdir is a portable test-and-set. + if mkdir $lockdir 2>/dev/null; then + # This process acquired the lock. + "$@" -MD + stat=$? + # Release the lock. + rm -rf $lockdir + break + else + ## the lock is being held by a different process, + ## wait until the winning process is done or we timeout + while test -d $lockdir && test $i -gt 0; do + sleep 1 + i=`expr $i - 1` + done + fi + i=`expr $i - 1` + done + trap - 1 2 13 15 + if test $i -le 0; then + echo "$0: failed to acquire lock after $numtries attempts" >&2 + echo "$0: check lockdir '$lockdir'" >&2 + exit 1 + fi + + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + # Each line is of the form `foo.o: dependent.h', + # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. + # Do two passes, one to just change these to + # `$object: dependent.h' and one to simply `dependent.h:'. + sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process this invocation + # correctly. Breaking it into two sed invocations is a workaround. + sed 's,^[^:]*: $.*$$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" | + sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + hp2) # The "hp" stanza above does not work with aCC (C++) and HP's ia64 # compilers, which have integrated preprocessors. The correct option diff --git a/configure b/configure index b71cd92..a9035af 100755 --- a/configure +++ b/configure @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for XML-Security-C 1.7.0. +# Generated by GNU Autoconf 2.69 for XML-Security-C 1.7.1. # -# Report bugs to . +# Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -275,7 +275,7 @@ fi $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf at gnu.org and -$0: santuario-dev at apache.org about your system, including +$0: dev at santuario.apache.org about your system, including $0: any error possibly output before this message. Then $0: install a modern shell, or manually run the script $0: under such a shell if you do have one." @@ -590,9 +590,9 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='XML-Security-C' PACKAGE_TARNAME='xml-security-c' -PACKAGE_VERSION='1.7.0' -PACKAGE_STRING='XML-Security-C 1.7.0' -PACKAGE_BUGREPORT='santuario-dev at apache.org' +PACKAGE_VERSION='1.7.1' +PACKAGE_STRING='XML-Security-C 1.7.1' +PACKAGE_BUGREPORT='dev at santuario.apache.org' PACKAGE_URL='' ac_unique_file="xsec" @@ -1330,7 +1330,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures XML-Security-C 1.7.0 to adapt to many kinds of systems. +\`configure' configures XML-Security-C 1.7.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1400,7 +1400,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of XML-Security-C 1.7.0:";; + short | recursive ) echo "Configuration of XML-Security-C 1.7.1:";; esac cat <<\_ACEOF @@ -1451,7 +1451,7 @@ Some influential environment variables: Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to . +Report bugs to . _ACEOF ac_status=$? fi @@ -1514,7 +1514,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -XML-Security-C configure 1.7.0 +XML-Security-C configure 1.7.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1981,7 +1981,7 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" > { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## --------------------------------------- ## -## Report this to santuario-dev at apache.org ## +## Report this to dev at santuario.apache.org ## ## --------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; @@ -2118,7 +2118,7 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" > { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## --------------------------------------- ## -## Report this to santuario-dev at apache.org ## +## Report this to dev at santuario.apache.org ## ## --------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; @@ -2187,7 +2187,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by XML-Security-C $as_me 1.7.0, which was +It was created by XML-Security-C $as_me 1.7.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3013,7 +3013,7 @@ fi # Define the identity of the package. PACKAGE='xml-security-c' - VERSION='1.7.0' + VERSION='1.7.1' cat >>confdefs.h <<_ACEOF @@ -17927,7 +17927,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by XML-Security-C $as_me 1.7.0, which was +This file was extended by XML-Security-C $as_me 1.7.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17987,13 +17987,13 @@ $config_headers Configuration commands: $config_commands -Report bugs to ." +Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -XML-Security-C config.status 1.7.0 +XML-Security-C config.status 1.7.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 78eea22..674b04a 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ # Process this file with autoreconf AC_PREREQ(2.50) -AC_INIT([[XML-Security-C]],[1.7.0],[santuario-dev at apache.org],[xml-security-c]) +AC_INIT([[XML-Security-C]],[1.7.1],[dev at santuario.apache.org],[xml-security-c]) AC_CONFIG_SRCDIR(xsec) AC_CONFIG_AUX_DIR(build-aux) AC_CONFIG_MACRO_DIR(m4) diff --git a/xml-security-c.spec b/xml-security-c.spec index cd8071d..9e49fa0 100644 --- a/xml-security-c.spec +++ b/xml-security-c.spec @@ -1,5 +1,5 @@ Name: xml-security-c -Version: 1.7.0 +Version: 1.7.1 Release: 1 Summary: Apache XML security C++ library Group: Development/Libraries/C and C++ diff --git a/xsec/Makefile.am b/xsec/Makefile.am index ff30357..0396c5c 100644 --- a/xsec/Makefile.am +++ b/xsec/Makefile.am @@ -16,7 +16,7 @@ AUTOMAKE_OPTIONS = foreign -INCLUDES = -I.. +AM_CPPFLAGS = -I.. noinst_PROGRAMS = ${samples} bin_PROGRAMS = ${tools} @@ -590,7 +590,7 @@ nss_sources = \ # # Now the library specific build items # -libxml_security_c_la_LDFLAGS = -version-info 17:0:0 +libxml_security_c_la_LDFLAGS = -version-info 17:1:0 install-exec-hook: for la in $(lib_LTLIBRARIES) ; do rm -f $(DESTDIR)$(libdir)/$$la ; done @@ -618,4 +618,4 @@ EXTRA_DIST = \ enc/WinCAPI/WinCAPICryptoSymmetricKey.cpp \ enc/WinCAPI/WinCAPICryptoKeyHMAC.cpp - \ No newline at end of file + diff --git a/xsec/Makefile.in b/xsec/Makefile.in index 0af2477..f5ec449 100644 --- a/xsec/Makefile.in +++ b/xsec/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.12.2 from Makefile.am. +# Makefile.in generated by automake 1.12.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2012 Free Software Foundation, Inc. @@ -583,7 +583,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign -INCLUDES = -I.. +AM_CPPFLAGS = -I.. LDADD = libxml-security-c.la # @@ -1109,7 +1109,7 @@ nss_sources = \ # # Now the library specific build items # -libxml_security_c_la_LDFLAGS = -version-info 17:0:0 +libxml_security_c_la_LDFLAGS = -version-info 17:1:0 EXTRA_DIST = \ utils/winutils/XSECURIResolverGenericWin32.cpp \ utils/winutils/XSECSOAPRequestorSimpleWin32.cpp \ diff --git a/xsec/canon/XSECC14n20010315.cpp b/xsec/canon/XSECC14n20010315.cpp index 5beb00d..0cc5a15 100644 --- a/xsec/canon/XSECC14n20010315.cpp +++ b/xsec/canon/XSECC14n20010315.cpp @@ -25,7 +25,7 @@ * * Author(s): Berin Lautenbach * - * $Id: XSECC14n20010315.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: XSECC14n20010315.cpp 1493961 2013-06-17 22:29:13Z scantor $ * */ @@ -39,6 +39,7 @@ // Xerces includes #include #include +#include #include XERCES_CPP_NAMESPACE_USE @@ -240,6 +241,8 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) { } + ArrayJanitor j_nsBuf(nsBuf); + int i, j; i = 0; @@ -247,21 +250,22 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) { while (xmlnsList[i] != '\0') { while (xmlnsList[i] == ' ' || - xmlnsList[i] == '\0' || xmlnsList[i] == '\t' || xmlnsList[i] == '\r' || - xmlnsList[i] == '\n') + xmlnsList[i] == '\n') { ++i; // Skip white space + } j = 0; while (!(xmlnsList[i] == ' ' || xmlnsList[i] == '\0' || xmlnsList[i] == '\t' || xmlnsList[i] == '\r' || - xmlnsList[i] == '\n')) + xmlnsList[i] == '\n')) { nsBuf[j++] = xmlnsList[i++]; // Copy name + } // Terminate the string nsBuf[j] = '\0'; @@ -281,8 +285,6 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) { } - delete[] nsBuf; - } diff --git a/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp b/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp index d10c6dc..779e29d 100644 --- a/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp +++ b/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp @@ -23,7 +23,7 @@ * XSECAlgorithmHandlerDefault := Interface class to define handling of * default encryption algorithms * - * $Id: DSIGAlgorithmHandlerDefault.cpp 1125752 2011-05-21 17:50:17Z scantor $ + * $Id: DSIGAlgorithmHandlerDefault.cpp 1493960 2013-06-17 22:27:28Z scantor $ * */ @@ -60,6 +60,15 @@ bool compareBase64StringToRaw(const char * b64Str, // Compare at most maxCompare bits (if maxCompare > 0) // Note - whilst the other parameters are bytes, maxCompare is bits + // The div function below takes signed int, so make sure the value + // is safe to cast. + if ((int) maxCompare < 0) { + + throw XSECException(XSECException::CryptoProviderError, + "Comparison length was unsafe"); + + } + unsigned char outputStr[MAXB64BUFSIZE]; unsigned int outputLen = 0; @@ -126,7 +135,7 @@ bool compareBase64StringToRaw(const char * b64Str, char mask = 0x01; if (maxCompare != 0) { - for (j = 0 ; j < (unsigned int) d.rem; ++i) { + for (j = 0 ; j < (unsigned int) d.rem; ++j) { if ((raw[i] & mask) != (outputStr[i] & mask)) return false; @@ -516,7 +525,7 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer( // Signature already created, so just translate to base 64 and enter string // FIX: CVE-2009-0217 - if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) { + if (outputLength > 0 && (outputLength > hashLen || outputLength < 80 || outputLength < hashLen / 2)) { throw XSECException(XSECException::AlgorithmMapperError, "HMACOutputLength set to unsafe value."); } @@ -641,7 +650,7 @@ bool DSIGAlgorithmHandlerDefault::verifyBase64Signature( // Already done - just compare calculated value with read value // FIX: CVE-2009-0217 - if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) { + if (outputLength > 0 && (outputLength > hashLen || outputLength < 80 || outputLength < hashLen / 2)) { throw XSECException(XSECException::AlgorithmMapperError, "HMACOutputLength set to unsafe value."); } diff --git a/xsec/dsig/DSIGReference.cpp b/xsec/dsig/DSIGReference.cpp index edd3e48..b07cecb 100644 --- a/xsec/dsig/DSIGReference.cpp +++ b/xsec/dsig/DSIGReference.cpp @@ -22,7 +22,7 @@ * * DSIG_Reference := Class for handling a DSIG reference element * - * $Id: DSIGReference.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: DSIGReference.cpp 1493959 2013-06-17 22:26:41Z scantor $ * */ @@ -516,17 +516,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc, } else if (URI[9] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen && - URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i && - URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d && - URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen && - URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) { + URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i && + URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d && + URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen && + URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) { xsecsize_t len = XMLString::stringLen(&URI[14]); - XMLCh tmp[512]; - - if (len > 511) - len = 511; + XMLCh* tmp = new XMLCh[len + 1]; + ArrayJanitor j_tmp(tmp); xsecsize_t j = 14, i = 0; @@ -630,9 +628,14 @@ void DSIGReference::load(void) { // Now check for Transforms tmpElt = mp_referenceNode->getFirstChild(); - while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpElt = tmpElt->getNextSibling(); + } if (tmpElt == 0) { @@ -651,13 +654,19 @@ void DSIGReference::load(void) { // Find next node tmpElt = tmpElt->getNextSibling(); - while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpElt = tmpElt->getNextSibling(); + } } /* if tmpElt node type = transforms */ - else + else { mp_transformList = NULL; + } if (tmpElt == NULL || !strEquals(getDSIGLocalName(tmpElt), "DigestMethod")) { @@ -692,8 +701,14 @@ void DSIGReference::load(void) { tmpElt = tmpElt->getNextSibling(); - while (tmpElt != 0 && !(strEquals(getDSIGLocalName(tmpElt), "DigestValue"))) + while (tmpElt != 0 && + (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpElt), "DigestValue"))) { + if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpElt = tmpElt->getNextSibling(); + } if (tmpElt == 0) { @@ -731,8 +746,13 @@ void DSIGReference::load(void) { // Find Manifest child manifestNode = manifestNode->getFirstChild(); - while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE) + while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE) { + if (manifestNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } manifestNode = manifestNode->getNextSibling(); + } if (manifestNode == 0 || !strEquals(getDSIGLocalName(manifestNode), "Manifest")) throw XSECException(XSECException::ExpectedDSIGChildNotFound, @@ -743,8 +763,14 @@ void DSIGReference::load(void) { // Now have the manifest node, find the first reference and load! referenceNode = manifestNode->getFirstChild(); - while (referenceNode != 0 && !strEquals(getDSIGLocalName(referenceNode), "Reference")) + while (referenceNode != 0 && + (referenceNode->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(referenceNode), "Reference"))) { + if (referenceNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } referenceNode = referenceNode->getNextSibling(); + } if (referenceNode == 0) throw XSECException(XSECException::ExpectedDSIGChildNotFound, @@ -797,8 +823,13 @@ DSIGReferenceList *DSIGReference::loadReferenceListFromXML(const XSECEnv * env, // Find next element Node tmpRef = tmpRef->getNextSibling(); - while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE) + while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE) { + if (tmpRef->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpRef = tmpRef->getNextSibling(); + } } diff --git a/xsec/dsig/DSIGSignature.cpp b/xsec/dsig/DSIGSignature.cpp index 0947e60..f43a8ee 100644 --- a/xsec/dsig/DSIGSignature.cpp +++ b/xsec/dsig/DSIGSignature.cpp @@ -24,7 +24,7 @@ * * Author(s): Berin Lautenbach * - * $Id: DSIGSignature.cpp 1357795 2012-07-05 18:37:09Z scantor $ + * $Id: DSIGSignature.cpp 1478626 2013-05-03 01:34:21Z scantor $ * */ @@ -111,152 +111,6 @@ void DSIGSignature::Initialise(void) { } -// -------------------------------------------------------------------------------- -// Some useful utility functions -// -------------------------------------------------------------------------------- - - -#if 0 - -bool compareBase64StringToRaw(safeBuffer &b64SB, - unsigned char * raw, - unsigned int rawLen, - unsigned int maxCompare = 0) { - // Decode a base64 buffer and then compare the result to a raw buffer - // Compare at most maxCompare bits (if maxComare > 0) - // Note - whilst the other parameters are bytes, maxCompare is bits - - unsigned char outputStr[1024]; - unsigned char b64Str[1024]; - unsigned int outputLen = 0; - - XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64(); - - if (!b64) { - - throw XSECException(XSECException::CryptoProviderError, - "Error requesting Base64 object from Crypto Provider"); - - } - - Janitor j_b64(b64); - - strncpy((char *) b64Str, (char *) b64SB.rawBuffer(), 1023); - b64Str[1023] = '\0'; // Just in case - - b64->decodeInit(); - outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, 1024); - outputLen += b64->decodeFinish(&outputStr[outputLen], 1024 - outputLen); - - // Compare - - div_t d; - unsigned int maxCompareBytes, maxCompareBits; - maxCompareBits = 0; - - unsigned int size; - - if (maxCompare > 0) { - d = div(maxCompare, 8); - maxCompareBytes = d.quot; - if (d.rem != 0) - maxCompareBytes++; - - if (rawLen < maxCompareBytes && outputLen < maxCompareBytes) { - if (rawLen != outputLen) - return false; - size = rawLen; - } - else if (rawLen < maxCompareBytes || outputLen < maxCompareBytes) { - return false; - } - else - size = maxCompareBytes; - } - else { - - if (rawLen != outputLen) - return false; - - size = rawLen; - - } - - // Compare bytes - unsigned int i, j; - for (i = 0; i < size; ++ i) { - if (raw[i] != outputStr[i]) - return false; - } - - // Compare bits - - char mask = 0x01; - if (maxCompare != 0) { - for (j = 0 ; j < (unsigned int) d.rem; ++i) { - - if ((raw[i] & mask) != (outputStr[i] & mask)) - return false; - - mask = mask << 1; - } - } - - return true; - -} - - -void convertRawToBase64String(safeBuffer &b64SB, - unsigned char * raw, - unsigned int rawLen, - unsigned int maxBits = 0) { - - // Translate the rawbuffer (at most maxBits or rawLen - whichever is smaller) - // to a base64 string - - unsigned char b64Str[1024]; - unsigned int outputLen = 0; - - XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64(); - - if (!b64) { - - throw XSECException(XSECException::CryptoProviderError, - "Error requesting Base64 object from Crypto Provider"); - - } - - Janitor j_b64(b64); - - // Determine length to translate - unsigned int size; - - if (maxBits > 0) { - div_t d = div(maxBits, 8); - size = d.quot; - if (d.rem != 0) - ++size; - - if (size > rawLen) - size = rawLen; - } - - else - size = rawLen; - - b64->encodeInit(); - outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, 1024); - outputLen += b64->encodeFinish(&b64Str[outputLen], 1024 - outputLen); - b64Str[outputLen] = '\0'; - - // Copy out - - b64SB.sbStrcpyIn((char *) b64Str); - -} - -#endif /* 0 */ // -------------------------------------------------------------------------------- // Get the Canonicalised BYTE_STREAM of the SignedInfo diff --git a/xsec/dsig/DSIGSignedInfo.cpp b/xsec/dsig/DSIGSignedInfo.cpp index 7d3e266..9c64ef6 100644 --- a/xsec/dsig/DSIGSignedInfo.cpp +++ b/xsec/dsig/DSIGSignedInfo.cpp @@ -22,7 +22,7 @@ * * DSIGSignedInfo := Class for checking and setting up signed Info nodes in a DSIG signature * - * $Id: DSIGSignedInfo.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: DSIGSignedInfo.cpp 1493959 2013-06-17 22:26:41Z scantor $ * */ @@ -299,9 +299,14 @@ void DSIGSignedInfo::load(void) { // Check for CanonicalizationMethod - while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpSI = tmpSI->getNextSibling(); + } if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "CanonicalizationMethod")) { @@ -362,17 +367,23 @@ void DSIGSignedInfo::load(void) { } - else + else { throw XSECException(XSECException::UnknownCanonicalization); + } // Now load the SignatureMethod tmpSI = tmpSI->getNextSibling(); - while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpSI = tmpSI->getNextSibling(); + } if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "SignatureMethod")) { @@ -406,10 +417,14 @@ void DSIGSignedInfo::load(void) { * longer know at this point if this is an HMAC, we need to check. */ DOMNode *tmpSOV = tmpSI->getFirstChild(); - while (tmpSOV != NULL && - tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE && - !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength")) + while (tmpSOV != NULL && + (tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength"))) { + if (tmpSOV->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpSOV = tmpSOV->getNextSibling(); + } if (tmpSOV != NULL) { @@ -433,9 +448,14 @@ void DSIGSignedInfo::load(void) { // Run through the rest of the elements until done - while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpSI = tmpSI->getNextSibling(); + } if (tmpSI != NULL) { diff --git a/xsec/framework/XSECDefs.hpp b/xsec/framework/XSECDefs.hpp index 6e84529..513ebc1 100644 --- a/xsec/framework/XSECDefs.hpp +++ b/xsec/framework/XSECDefs.hpp @@ -24,7 +24,7 @@ * * Author(s): Berin Lautenbach * - * $Id: XSECDefs.hpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: XSECDefs.hpp 1493962 2013-06-17 22:32:41Z scantor $ * */ @@ -69,6 +69,9 @@ typedef unsigned int xsecsize_t; #endif +// Pending API change, compile in a limit for Xerces SecurityManager entity expansion +#define XSEC_ENTITY_EXPANSION_LIMIT 1000 + // -------------------------------------------------------------------------------- // Namespace Handling diff --git a/xsec/framework/XSECEnv.cpp b/xsec/framework/XSECEnv.cpp index 3b8bc2a..6e31522 100644 --- a/xsec/framework/XSECEnv.cpp +++ b/xsec/framework/XSECEnv.cpp @@ -23,7 +23,7 @@ * XSECEnv := Configuration class - used by the other classes to retrieve * information on the environment they are working under * - * $Id: XSECEnv.cpp 1350043 2012-06-13 22:31:04Z scantor $ + * $Id: XSECEnv.cpp 1478615 2013-05-03 00:07:02Z scantor $ * */ diff --git a/xsec/framework/XSECVersion.hpp b/xsec/framework/XSECVersion.hpp index 5cfb3fa..c55f769 100644 --- a/xsec/framework/XSECVersion.hpp +++ b/xsec/framework/XSECVersion.hpp @@ -30,7 +30,7 @@ #define XSEC_VERSION_MAJOR 1 #define XSEC_VERSION_MEDIUM 7 -#define XSEC_VERSION_MINOR 0 +#define XSEC_VERSION_MINOR 1 // -------------------------------------------------------------------------------- // Version Handling diff --git a/xsec/framework/version.rc b/xsec/framework/version.rc index 52721aa..a4ddbac 100644 --- a/xsec/framework/version.rc +++ b/xsec/framework/version.rc @@ -54,8 +54,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,7,0,0 - PRODUCTVERSION 1,7,0,0 + FILEVERSION 1,7,1,0 + PRODUCTVERSION 1,7,1,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -73,13 +73,13 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "The Apache Software Foundation\0" VALUE "FileDescription", "Santuario C++ XML Security Library\0" - VALUE "FileVersion", "1, 7, 0, 0\0" + VALUE "FileVersion", "1, 7, 1, 0\0" #ifdef _DEBUG VALUE "InternalName", "xsec_1_7D\0" #else VALUE "InternalName", "xsec_1_7\0" #endif - VALUE "LegalCopyright", "Copyright ? 2002-2012 The Apache Software Foundation\0" + VALUE "LegalCopyright", "Copyright ? 2002-2013 The Apache Software Foundation\0" VALUE "LegalTrademarks", "\0" #ifdef _DEBUG VALUE "OriginalFilename", "xsec_1_7D.dll\0" @@ -88,7 +88,7 @@ BEGIN #endif VALUE "PrivateBuild", "\0" VALUE "ProductName", "Santuario C++ XML Security Library\0" - VALUE "ProductVersion", "1, 7, 0, 0\0" + VALUE "ProductVersion", "1, 7, 1, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/xsec/tools/checksig/checksig.cpp b/xsec/tools/checksig/checksig.cpp index cd5074d..db81d27 100644 --- a/xsec/tools/checksig/checksig.cpp +++ b/xsec/tools/checksig/checksig.cpp @@ -22,7 +22,7 @@ * * checkSig := (Very ugly) tool to check a signature embedded in an XML file * - * $Id: checksig.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: checksig.cpp 1478616 2013-05-03 00:07:57Z scantor $ * */ @@ -147,6 +147,8 @@ void printUsage(void) { cerr << " Set an hmac key using the \n\n"; cerr << " --xsecresolver/-x\n"; cerr << " Use the xml-security test XMLDSig URI resolver\n\n"; + cerr << " --id \n"; + cerr << " Define an attribute Id by name\n\n"; cerr << " --idns/-d \n"; cerr << " Define an attribute Id by namespace URI and name\n\n"; #if defined (XSEC_HAVE_OPENSSL) @@ -208,6 +210,14 @@ int evaluate(int argc, char ** argv) { useXSECURIResolver = true; paramCount++; } + else if (_stricmp(argv[paramCount], "--id") == 0) { + if (paramCount +1 >= argc) { + printUsage(); + return 2; + } + paramCount++; + useIdAttributeName = argv[paramCount++]; + } else if (_stricmp(argv[paramCount], "--idns") == 0 || _stricmp(argv[paramCount], "-d") == 0) { if (paramCount +2 >= argc) { printUsage(); @@ -399,12 +409,17 @@ int evaluate(int argc, char ** argv) { // so we add a KeyInfoResolverDefault to the Signature. sig->setKeyInfoResolver(&theKeyInfoResolver); - sig->registerIdAttributeName(MAKE_UNICODE_STRING("ID")); // Register defined attribute name - if (useIdAttributeName != NULL) - sig->registerIdAttributeNameNS(MAKE_UNICODE_STRING(useIdAttributeNS), - MAKE_UNICODE_STRING(useIdAttributeName)); + if (useIdAttributeName != NULL) { + sig->setIdByAttributeName(true); + if (useIdAttributeNS != NULL) { + sig->registerIdAttributeNameNS(MAKE_UNICODE_STRING(useIdAttributeNS), + MAKE_UNICODE_STRING(useIdAttributeName)); + } else { + sig->registerIdAttributeName(MAKE_UNICODE_STRING(useIdAttributeName)); + } + } // Check whether we should use the internal resolver diff --git a/xsec/transformers/TXFMParser.cpp b/xsec/transformers/TXFMParser.cpp index 705644b..abccda7 100644 --- a/xsec/transformers/TXFMParser.cpp +++ b/xsec/transformers/TXFMParser.cpp @@ -24,7 +24,7 @@ * * Author(s): Berin Lautenbach * - * $Id: TXFMParser.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: TXFMParser.cpp 1493962 2013-06-17 22:32:41Z scantor $ * */ @@ -114,8 +114,11 @@ void TXFMParser::setInput(TXFMBase *newInput) { XercesDOMParser parser; parser.setDoNamespaces(true); - parser.setCreateEntityReferenceNodes(true); - parser.setDoSchema(true); + parser.setLoadExternalDTD(false); + + SecurityManager securityManager; + securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT); + parser.setSecurityManager(&securityManager); parser.parse(is); xsecsize_t errorCount = parser.getErrorCount(); diff --git a/xsec/transformers/TXFMXSL.cpp b/xsec/transformers/TXFMXSL.cpp index 51e205a..e22aeec 100644 --- a/xsec/transformers/TXFMXSL.cpp +++ b/xsec/transformers/TXFMXSL.cpp @@ -22,7 +22,7 @@ * * TXFMXSL := Class that performs XPath transforms * - * $Id: TXFMXSL.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: TXFMXSL.cpp 1493962 2013-06-17 22:32:41Z scantor $ * */ @@ -187,8 +187,12 @@ void TXFMXSL::evaluateStyleSheet(const safeBuffer &sbStyleSheet) { parser->setDoNamespaces(true); parser->setCreateEntityReferenceNodes(true); + parser->setLoadExternalDTD(false); parser->setDoSchema(true); + SecurityManager securityManager; + parser->setSecurityManager(&securityManager); + // Create an input source MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) txoh.buffer.rawBuffer(), txoh.offset, "XSECMem"); diff --git a/xsec/utils/XSECSOAPRequestorSimple.cpp b/xsec/utils/XSECSOAPRequestorSimple.cpp index a27d345..a910f91 100644 --- a/xsec/utils/XSECSOAPRequestorSimple.cpp +++ b/xsec/utils/XSECSOAPRequestorSimple.cpp @@ -24,7 +24,7 @@ * HTTP wrapper for testing the client code. * * - * $Id: XSECSOAPRequestorSimple.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: XSECSOAPRequestorSimple.cpp 1493962 2013-06-17 22:32:41Z scantor $ * */ @@ -218,31 +218,31 @@ char * XSECSOAPRequestorSimple::wrapAndSerialise(DOMDocument * request) { DOMDocument * XSECSOAPRequestorSimple::parseAndUnwrap(const char * buf, unsigned int len) { - XercesDOMParser * parser = new XercesDOMParser; - Janitor j_parser(parser); + XercesDOMParser parser; + parser.setDoNamespaces(true); + parser.setLoadExternalDTD(false); - parser->setDoNamespaces(true); - parser->setCreateEntityReferenceNodes(true); - parser->setDoSchema(true); + SecurityManager securityManager; + securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT); + parser.setSecurityManager(&securityManager); // Create an input source - MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) buf, len, "XSECMem"); - Janitor j_memIS(memIS); + MemBufInputSource memIS((const XMLByte*) buf, len, "XSECMem"); - parser->parse(*memIS); - xsecsize_t errorCount = parser->getErrorCount(); + parser.parse(memIS); + xsecsize_t errorCount = parser.getErrorCount(); if (errorCount > 0) throw XSECException(XSECException::HTTPURIInputStreamError, "Error parsing response message"); if (m_envelopeType == ENVELOPE_NONE) { - return parser->adoptDocument(); + return parser.adoptDocument(); } - DOMDocument * responseDoc = parser->getDocument(); + DOMDocument * responseDoc = parser.getDocument(); // Must be a SOAP message of some kind - so lets remove the wrapper. // First create a new document for the Response message diff --git a/xsec/utils/XSECSafeBufferFormatter.hpp b/xsec/utils/XSECSafeBufferFormatter.hpp index 5c2a02b..83a143b 100644 --- a/xsec/utils/XSECSafeBufferFormatter.hpp +++ b/xsec/utils/XSECSafeBufferFormatter.hpp @@ -24,7 +24,7 @@ * * Author(s): Berin Lautenbach * - * $Id: XSECSafeBufferFormatter.hpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: XSECSafeBufferFormatter.hpp 1482601 2013-05-14 21:31:27Z scantor $ * */ @@ -86,8 +86,7 @@ private: * to perform encoding translations with a safeBuffer as a target */ - -class XSECSafeBufferFormatter { +class CANON_EXPORT XSECSafeBufferFormatter { XERCES_CPP_NAMESPACE_QUALIFIER XMLFormatter * formatter; // To actually perform the formatting diff --git a/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp b/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp index b57b19a..e3985e8 100644 --- a/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp +++ b/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp @@ -23,7 +23,7 @@ * XSECAlgorithmHandlerDefault := Interface class to define handling of * default encryption algorithms * - * $Id: XENCAlgorithmHandlerDefault.cpp 1363191 2012-07-19 00:33:46Z scantor $ + * $Id: XENCAlgorithmHandlerDefault.cpp 1482595 2013-05-14 21:24:14Z scantor $ * */ @@ -1133,24 +1133,27 @@ XSECCryptoKey * XENCAlgorithmHandlerDefault::createKeyForURI( XSECCryptoSymmetricKey * sk = NULL; if (strEquals(uri, DSIGConstants::s_unicodeStrURI3DES_CBC)) { + if (keyLen < 192 / 8) + throw XSECException(XSECException::CipherError, + "XENCAlgorithmHandlerDefault - key size was invalid"); sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_3DES_192); } - else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_CBC)) { + else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_CBC) || strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_GCM)) { + if (keyLen < 128 / 8) + throw XSECException(XSECException::CipherError, + "XENCAlgorithmHandlerDefault - key size was invalid"); sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_128); } - else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_CBC)) { + else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_CBC) || strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_GCM)) { + if (keyLen < 192 / 8) + throw XSECException(XSECException::CipherError, + "XENCAlgorithmHandlerDefault - key size was invalid"); sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_192); } - else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_CBC)) { - sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_256); - } - else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_GCM)) { - sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_128); - } - else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_GCM)) { - sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_192); - } - else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_GCM)) { + else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_CBC) || strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_GCM)) { + if (keyLen < 256 / 8) + throw XSECException(XSECException::CipherError, + "XENCAlgorithmHandlerDefault - key size was invalid"); sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_256); } diff --git a/xsec/xenc/impl/XENCCipherImpl.cpp b/xsec/xenc/impl/XENCCipherImpl.cpp index 44cf029..136c6aa 100644 --- a/xsec/xenc/impl/XENCCipherImpl.cpp +++ b/xsec/xenc/impl/XENCCipherImpl.cpp @@ -22,7 +22,7 @@ * * XENCCipherImpl := Implementation of the main encryption worker class * - * $Id: XENCCipherImpl.cpp 1363191 2012-07-19 00:33:46Z scantor $ + * $Id: XENCCipherImpl.cpp 1493962 2013-06-17 22:32:41Z scantor $ * */ @@ -270,8 +270,9 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode * sb.sbXMLChAppendCh(chCloseAngle); char* prefix = transcodeToUTF8(sb.rawXMLChBuffer()); - sbt = prefix; + XSEC_RELEASE_XMLCH(prefix); + const char * crcb = content.rawCharBuffer(); int offset = 0; if (crcb[0] == '<' && crcb[1] == '?') { @@ -286,9 +287,6 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode * sbt.sbStrcatIn(&crcb[offset]); - // Now transform the content to UTF-8 - //sb.sbXMLChCat8(content.rawCharBuffer()); - // Terminate the string sb.sbXMLChIn(DSIGConstants::s_unicodeStrEmpty); sb.sbXMLChAppendCh(chOpenAngle); @@ -300,37 +298,24 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode * sbt.sbStrcatIn(trailer); XSEC_RELEASE_XMLCH(trailer); - // Now we need to parse the document - XercesDOMParser* parser = NULL; - MemBufInputSource* memIS = NULL; - try { - parser = new XercesDOMParser; + // Create an input source + xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer()); + MemBufInputSource memIS((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem"); - parser->setDoNamespaces(true); - parser->setCreateEntityReferenceNodes(true); - parser->setDoSchema(false); + XercesDOMParser parser; + parser.setDoNamespaces(true); + parser.setLoadExternalDTD(false); - // Create an input source - xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer()); - memIS = new MemBufInputSource((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem"); - } - catch (...) { - delete memIS; - delete parser; - XSEC_RELEASE_XMLCH(prefix); - throw; - } - - XSEC_RELEASE_XMLCH(prefix); - Janitor j_parser(parser); - Janitor j_memIS(memIS); + SecurityManager securityManager; + securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT); + parser.setSecurityManager(&securityManager); - parser->parse(*memIS); - xsecsize_t errorCount = parser->getErrorCount(); + parser.parse(memIS); + xsecsize_t errorCount = parser.getErrorCount(); if (errorCount > 0) throw XSECException(XSECException::CipherError, "Errors occured during de-serialisation of decrypted element content"); - DOMDocument * doc = parser->getDocument(); + DOMDocument * doc = parser.getDocument(); // Create a DocumentFragment to hold the children of the parsed doc element DOMDocument *ctxDocument = ctx->getOwnerDocument(); diff --git a/xsec/xkms/impl/XKMSRecoverResultImpl.cpp b/xsec/xkms/impl/XKMSRecoverResultImpl.cpp index 88ded2e..4cdbfba 100644 --- a/xsec/xkms/impl/XKMSRecoverResultImpl.cpp +++ b/xsec/xkms/impl/XKMSRecoverResultImpl.cpp @@ -1,20 +1,20 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. */ /* @@ -277,7 +277,7 @@ XKMSRSAKeyPair * XKMSRecoverResultImpl::getRSAKeyPair(const char * passPhrase) { XSECCryptoKey * sk = handler->createKeyForURI( xed->getEncryptionMethod()->getAlgorithm(), (XMLByte *) kbuf, - XSEC_MAX_HASH_SIZE); + len); memset(kbuf, 0, XSEC_MAX_HASH_SIZE); @@ -350,7 +350,7 @@ XENCEncryptedData * XKMSRecoverResultImpl::setRSAKeyPair(const char * passPhrase XSECCryptoKey * sk = handler->createKeyForURI( uri, (XMLByte *) kbuf, - XSEC_MAX_HASH_SIZE); + len); memset(kbuf, 0, XSEC_MAX_HASH_SIZE); diff --git a/xsec/xkms/impl/XKMSRegisterResultImpl.cpp b/xsec/xkms/impl/XKMSRegisterResultImpl.cpp index 4d426ac..d51f2ef 100644 --- a/xsec/xkms/impl/XKMSRegisterResultImpl.cpp +++ b/xsec/xkms/impl/XKMSRegisterResultImpl.cpp @@ -22,7 +22,7 @@ * * XKMSRegisterResultImpl := Implementation of RegisterResult Messages * - * $Id: XKMSRegisterResultImpl.cpp 1125514 2011-05-20 19:08:33Z scantor $ + * $Id: XKMSRegisterResultImpl.cpp 1375700 2012-08-21 18:08:00Z scantor $ * */ @@ -277,7 +277,7 @@ XKMSRSAKeyPair * XKMSRegisterResultImpl::getRSAKeyPair(const char * passPhrase) XSECCryptoKey * sk = handler->createKeyForURI( xed->getEncryptionMethod()->getAlgorithm(), (XMLByte *) kbuf, - XSEC_MAX_HASH_SIZE); + len); memset(kbuf, 0, XSEC_MAX_HASH_SIZE); @@ -351,7 +351,7 @@ XENCEncryptedData * XKMSRegisterResultImpl::setRSAKeyPair(const char * passPhras XSECCryptoKey * sk = handler->createKeyForURI( uri, (XMLByte *) kbuf, - XSEC_MAX_HASH_SIZE); + len); memset(kbuf, 0, XSEC_MAX_HASH_SIZE); -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:33 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:33 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 3f2a7ca7993a690e3685bff52dcc406d2c07da12 Merge: d83db2ddbb90759ae4e2d9f8070343500f26b3a8 4771f62eb224cf0182db18ec775d99876b833097 Author: Russ Allbery Date: Mon Jun 17 20:59:30 2013 -0700 Merge branch 'fixes/utility-names' -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:33 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:33 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 017dc35514ca2195f0c167fa39c49b8924190704 Author: Russ Allbery Date: Mon Jun 17 21:04:26 2013 -0700 Rename the binaries to xsec-* instead of xmlsec-* * Rename the binaries in the xml-security-c-utils package to start with xsec-* instead of xmlsec-*. This reflects the common abbreviation used by the package. diff --git a/debian/changelog b/debian/changelog index 2267b90..dc7d37a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,9 @@ xml-security-c (1.7.1-1) UNRELEASED; urgency=high potentially allowing arbitary code execution. (CVE-2013-2156) - Reduce entity expansion limits when parsing. - New --id option to the xenc-checksig utility. + * Rename the binaries in the xml-security-c-utils package to start with + xsec-* instead of xmlsec-*. This reflects the common abbreviation + used by the package. -- Russ Allbery Mon, 17 Jun 2013 20:37:26 -0700 diff --git a/debian/rules b/debian/rules index 7751be1..eadba2e 100755 --- a/debian/rules +++ b/debian/rules @@ -22,9 +22,7 @@ override_dh_auto_configure: override_dh_auto_clean: dh_auto_clean -# Install man pages for the xml-security-c-utils binaries and rename them -# all to start with xmlsec-*. Some of them otherwise have very generic -# names. +# Install man pages for the xml-security-c-utils binaries. override_dh_install: dh_install mkdir -p '$(UTILS_MAN1DIR)' @@ -33,10 +31,6 @@ override_dh_install: --center 'Apache XML Security' --release '$(VERSION)' \ '$(UTILS_MAN1DIR)'/`basename "$$pod" .pod`.1 ; \ done - set -e; for path in '$(UTILS_BINDIR)'/* ; do \ - mv '$(UTILS_BINDIR)'/`basename "$$path"` \ - '$(UTILS_BINDIR)'/xmlsec-`basename "$$path"` ; \ - done override_dh_builddeb: dh_builddeb -- -Zxz -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:32 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:32 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 7ec8928e13459703523857dedd2b9b781219f829 Author: Russ Allbery Date: Mon Jun 17 20:46:07 2013 -0700 Note new checksig --id option in changelog and man page diff --git a/debian/changelog b/debian/changelog index 1f203de..2267b90 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,7 @@ xml-security-c (1.7.1-1) UNRELEASED; urgency=high optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. (CVE-2013-2156) - Reduce entity expansion limits when parsing. + - New --id option to the xenc-checksig utility. -- Russ Allbery Mon, 17 Jun 2013 20:37:26 -0700 diff --git a/debian/man-pages/xmlsec-checksig.pod b/debian/man-pages/xmlsec-checksig.pod index 7bd4001..60ef8e4 100644 --- a/debian/man-pages/xmlsec-checksig.pod +++ b/debian/man-pages/xmlsec-checksig.pod @@ -5,7 +5,7 @@ xmlsec-checksig - Check a signature embedded in an XML file =head1 SYNOPSIS B [B<-s>] [B<-h> I] [B<-x>] [B<-d> I I] - [B<-i>] I + [B<-i>] [B<--id> I] I =head1 DESCRIPTION @@ -24,6 +24,11 @@ Note that each option must be given as a separate argument. Use the HMAC key specified by I. +=item B<--id> I + +Use the attribute id with name I. To also specify the namespace, +use B<--idns> instead. + =item B<--idns> I I, B<-d> I I Use the attribute id specified by the namespace URI I and the name -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:31 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:31 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 86876132a0916a4b82468b551dc33850ee16ebe4 Author: Russ Allbery Date: Mon Jun 17 20:45:54 2013 -0700 Update debian/copyright for the new upstream release diff --git a/debian/copyright b/debian/copyright index eb9e68e..e0bdd8d 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,13 +3,12 @@ Source: http://santuario.apache.org/cindex.html Upstream-Name: Apache XML Security for C++ Files: * -Copyright: 2010-2012 The Apache Software Foundation +Copyright: 2010-2013 The Apache Software Foundation License: Apache-2.0 Files: */Makefile.in -Copyright: 2002-2010 The Apache Software Foundation - 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, - 2006, 2007, 2008, 2009 Free Software Foundation, Inc. +Copyright: 2002-2013 The Apache Software Foundation + 1994-2012 Free Software Foundation, Inc. License: Apache-2.0 Files: aclocal.m4 m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 @@ -51,9 +50,10 @@ Files: build-aux/install-sh Copyright: (C) 1994 X Consortium License: Expat -Files: build-aux/ltmain.sh m4/libtool.m4 +Files: build-aux/ltmain.sh m4/libtool.m4 m4/ltoptions.m4 m4/ltsugar.m4 + m4/ltversion.m4 m4/lt~obsolete.m4 Copyright: 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, - 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. + 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. License: GPL-2+ or libtool-same-as-package GNU Libtool is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -71,21 +71,19 @@ License: GPL-2+ or libtool-same-as-package General Public License for more details. Files: configure -Copyright: 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002, - 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software - Foundation, Inc. +Copyright: 1992-1996, 1998-2012 Free Software Foundation, Inc. License: FSF-configure-unlimited This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Files: debian/* -Copyright: 2006, 2007, 2008, 2009, 2010, 2011 - The Board of Trustees of the Leland Stanford Junior University +Copyright: 2006-2013 + The Board of Trustees of the Leland Stanford Junior University License: Expat Files: m4/ax_pthread.m4 Copyright: 2006 Steven G. Johnson - 2011 Daniel Richard G. + 2011 Daniel Richard G. License: GPL-2+ or macro-archive-same-as-package This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:32 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:32 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 4771f62eb224cf0182db18ec775d99876b833097 Author: Russ Allbery Date: Mon Jun 17 20:59:01 2013 -0700 Rename all tools to have an xsec-* prefix Some of the tool names are rather generic. This will keep them from confusing anyone or conflicting with generic tools from other packages. diff --git a/xsec/Makefile.am b/xsec/Makefile.am index 0396c5c..442069d 100644 --- a/xsec/Makefile.am +++ b/xsec/Makefile.am @@ -69,42 +69,42 @@ tools = # xtest -tools += xtest -xtest_SOURCES = \ +tools += xsec-xtest +xsec_xtest_SOURCES = \ tools/xtest/xtest.cpp -tools += c14n -c14n_SOURCES = \ +tools += xsec-c14n +xsec_c14n_SOURCES = \ tools/c14n/c14n.cpp -tools += checksig -checksig_SOURCES = \ +tools += xsec-checksig +xsec_checksig_SOURCES = \ tools/checksig/checksig.cpp \ tools/checksig/AnonymousResolver.hpp \ tools/checksig/AnonymousResolver.cpp \ tools/checksig/InteropResolver.hpp \ tools/checksig/InteropResolver.cpp -tools += templatesign -templatesign_SOURCES = \ +tools += xsec-templatesign +xsec_templatesign_SOURCES = \ tools/templatesign/templatesign.cpp -tools += txfmout -txfmout_SOURCES = \ +tools += xsec-txfmout +xsec_txfmout_SOURCES = \ tools/txfmout/txfmout.cpp -tools += siginf -siginf_SOURCES = \ +tools += xsec-siginf +xsec_siginf_SOURCES = \ tools/siginf/siginf.cpp -tools += cipher -cipher_SOURCES = \ +tools += xsec-cipher +xsec_cipher_SOURCES = \ tools/cipher/cipher.cpp \ tools/cipher/XencInteropResolver.hpp \ tools/cipher/XencInteropResolver.cpp -tools += xklient -xklient_SOURCES = \ +tools += xsec-xklient +xsec_xklient_SOURCES = \ tools/xklient/xklient.cpp -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:34 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:34 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit bbed522d0c134a702188b4a58dd4ef97c6ea6256 Author: Russ Allbery Date: Mon Jun 17 21:28:03 2013 -0700 Finalize changes for 1.7.1-1 diff --git a/debian/changelog b/debian/changelog index 115ac8b..096fab3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xml-security-c (1.7.1-1) UNRELEASED; urgency=high +xml-security-c (1.7.1-1) experimental; urgency=high * New upstream release. - Fix a spoofing vulnerability that allows an attacker to reuse @@ -18,7 +18,7 @@ xml-security-c (1.7.1-1) UNRELEASED; urgency=high xsec-* instead of xmlsec-*. This reflects the common abbreviation used by the package. - -- Russ Allbery Mon, 17 Jun 2013 20:37:26 -0700 + -- Russ Allbery Mon, 17 Jun 2013 21:27:58 -0700 xml-security-c (1.7.0-1) experimental; urgency=low -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:32 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:32 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit d83db2ddbb90759ae4e2d9f8070343500f26b3a8 Author: Russ Allbery Date: Mon Jun 17 20:54:29 2013 -0700 Rename all the man pages to use the new xsec-* prefix This is a better prefix for the binaries and will be acceptable upstream. diff --git a/debian/man-pages/xmlsec-c14n.pod b/debian/man-pages/xsec-c14n.pod similarity index 100% rename from debian/man-pages/xmlsec-c14n.pod rename to debian/man-pages/xsec-c14n.pod diff --git a/debian/man-pages/xmlsec-checksig.pod b/debian/man-pages/xsec-checksig.pod similarity index 100% rename from debian/man-pages/xmlsec-checksig.pod rename to debian/man-pages/xsec-checksig.pod diff --git a/debian/man-pages/xmlsec-cipher.pod b/debian/man-pages/xsec-cipher.pod similarity index 100% rename from debian/man-pages/xmlsec-cipher.pod rename to debian/man-pages/xsec-cipher.pod diff --git a/debian/man-pages/xmlsec-siginf.pod b/debian/man-pages/xsec-siginf.pod similarity index 100% rename from debian/man-pages/xmlsec-siginf.pod rename to debian/man-pages/xsec-siginf.pod diff --git a/debian/man-pages/xmlsec-templatesign.pod b/debian/man-pages/xsec-templatesign.pod similarity index 100% rename from debian/man-pages/xmlsec-templatesign.pod rename to debian/man-pages/xsec-templatesign.pod diff --git a/debian/man-pages/xmlsec-txfmout.pod b/debian/man-pages/xsec-txfmout.pod similarity index 100% rename from debian/man-pages/xmlsec-txfmout.pod rename to debian/man-pages/xsec-txfmout.pod diff --git a/debian/man-pages/xmlsec-xklient.pod b/debian/man-pages/xsec-xklient.pod similarity index 100% rename from debian/man-pages/xmlsec-xklient.pod rename to debian/man-pages/xsec-xklient.pod diff --git a/debian/man-pages/xmlsec-xtest.pod b/debian/man-pages/xsec-xtest.pod similarity index 100% rename from debian/man-pages/xmlsec-xtest.pod rename to debian/man-pages/xsec-xtest.pod -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:34 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:34 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522 Message-ID: The following commit has been merged in the master branch: commit 5d7b47a8177ce6e8aa7a1add4f55c5df3f8fc149 Author: Russ Allbery Date: Mon Jun 17 21:27:29 2013 -0700 Fix spelling error in changelog diff --git a/debian/changelog b/debian/changelog index dc7d37a..115ac8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,7 +11,7 @@ xml-security-c (1.7.1-1) UNRELEASED; urgency=high chosen input. (CVE-2013-2155) - Fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, - potentially allowing arbitary code execution. (CVE-2013-2156) + potentially allowing arbitrary code execution. (CVE-2013-2156) - Reduce entity expansion limits when parsing. - New --id option to the xenc-checksig utility. * Rename the binaries in the xml-security-c-utils package to start with -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:53 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:53 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, pristine-tar, updated. cb8f29bce97fe939589e4a6c944ff290ec353b1f Message-ID: The following commit has been merged in the pristine-tar branch: commit cb8f29bce97fe939589e4a6c944ff290ec353b1f Author: Russ Allbery Date: Mon Jun 17 20:35:31 2013 -0700 pristine-tar data for xml-security-c_1.7.1.orig.tar.gz diff --git a/xml-security-c_1.7.1.orig.tar.gz.delta b/xml-security-c_1.7.1.orig.tar.gz.delta new file mode 100644 index 0000000..f0aaa96 Binary files /dev/null and b/xml-security-c_1.7.1.orig.tar.gz.delta differ diff --git a/xml-security-c_1.7.1.orig.tar.gz.id b/xml-security-c_1.7.1.orig.tar.gz.id new file mode 100644 index 0000000..292e260 --- /dev/null +++ b/xml-security-c_1.7.1.orig.tar.gz.id @@ -0,0 +1 @@ +0e3babe58eab12e45806562bc1a2bc8d28c851fb -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:57 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:57 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.7.1-1, created. debian/1.7.1-1 Message-ID: The annotated tag, debian/1.7.1-1 has been created at 4edeb14bc024452b4c43dc12354f68d3d05d826a (tag) tagging bbed522d0c134a702188b4a58dd4ef97c6ea6256 (commit) replaces debian/1.7.0-1 tagged by Russ Allbery on Mon Jun 17 21:35:54 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.7.1-1 Format: 1.8 Date: Mon, 17 Jun 2013 21:27:58 -0700 Source: xml-security-c Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils Architecture: source i386 Version: 1.7.1-1 Distribution: experimental Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Changes: xml-security-c (1.7.1-1) experimental; urgency=high . * New upstream release. - Fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) - Fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) - Fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) - Fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) - Reduce entity expansion limits when parsing. - New --id option to the xenc-checksig utility. * Rename the binaries in the xml-security-c-utils package to start with xsec-* instead of xmlsec-*. This reflects the common abbreviation used by the package. Checksums-Sha1: 4da37c984346235f478312fcd389d92b1491f402 1301 xml-security-c_1.7.1-1.dsc 4253f691fe2cde5bc4a3bdf557b9566eb1c769e6 875367 xml-security-c_1.7.1.orig.tar.gz 17b6ddbfc01e507dc46e3aa8ea0c162f6bc4016e 11932 xml-security-c_1.7.1-1.debian.tar.xz a9ed8e54e7ea498519004332ba9c05a590aea94b 286096 libxml-security-c17_1.7.1-1_i386.deb 53bf31f135735dc1a4e77f770583ddca139f0158 110762 libxml-security-c-dev_1.7.1-1_i386.deb a8919b98311177acd6d011286a857eaa5504ca69 122612 xml-security-c-utils_1.7.1-1_i386.deb Checksums-Sha256: 3ad17c63c5f4b100ce460522f79b58e5e9c50c726e08082875f714cfe49fcfa8 1301 xml-security-c_1.7.1-1.dsc 3d306660702d620b30605627f970b90667ed967211a8fc26b3243e6d3abeb32e 875367 xml-security-c_1.7.1.orig.tar.gz 096a7a3231e6aa0f2d22ae40adf608230fb336bed205d3d808a079249c4470a5 11932 xml-security-c_1.7.1-1.debian.tar.xz 16fc6f7e41f35b6874c51cdbc4053c8e421c4f3547af5c43968344be1425e382 286096 libxml-security-c17_1.7.1-1_i386.deb 5a1a70565ff675ab9ffd45792529ff14bf72aab1154e644df828183bf2def0dd 110762 libxml-security-c-dev_1.7.1-1_i386.deb 0fbdbc4c908b5c24983889885f851f7b923ba8ed36eef68da03b62d10f617697 122612 xml-security-c-utils_1.7.1-1_i386.deb Files: 38597cdece45f21e651db36536d11175 1301 libs extra xml-security-c_1.7.1-1.dsc cce922e188afcd557636c53c58113bae 875367 libs extra xml-security-c_1.7.1.orig.tar.gz 1ac3f4939b70531398384f2dbca5a9a0 11932 libs extra xml-security-c_1.7.1-1.debian.tar.xz d4dab530ca022ed3d43b47804ad0c21b 286096 libs extra libxml-security-c17_1.7.1-1_i386.deb 47eb510cb43054bf6269f34adb641325 110762 libdevel extra libxml-security-c-dev_1.7.1-1_i386.deb e181455bc78dfd4e05288f82138d1128 122612 utils extra xml-security-c-utils_1.7.1-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRv+O4AAoJEH2AMVxXNt51YdIIALn2wkrtLYFd/j/p10T/68OW jq3LkZF/7Sll/4JHERMjDQHT0qQGUReX7m9sueyMR4JBsp48qCs0zE86ly1xxsky 493USV0o8z1SMD67XmU7yNpz5y1F9rEw0KP7b3YdNh3/mzUK3k9znqe17SaktG3X /I4ttFtYLz6ASFZ+i9VIRNGVwWCAxGzCbPBwzE6RR/MsCRW0d0vn7BVPXXEi8wah SF4XHKkOF7zCsJCap0F1zY5O19v9kI4znKKJLVeFFTzWPExwZNmKrZaGWcOZJ4Ep yIZIsr/NkU6PmCta9N+CeU79EDPg29oGa6aHnfDPvuH1G4B14AbgNYCaovlJ4A4= =SU++ -----END PGP SIGNATURE----- Russ Allbery (11): Imported Upstream version 1.7.1 Merge tag 'upstream/1.7.1' Add changelog for upstream 1.7.1 release Update debian/copyright for the new upstream release Note new checksig --id option in changelog and man page Rename all the man pages to use the new xsec-* prefix Rename all tools to have an xsec-* prefix Merge branch 'fixes/utility-names' Rename the binaries to xsec-* instead of xmlsec-* Fix spelling error in changelog Finalize changes for 1.7.1-1 ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 04:36:58 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 04:36:58 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, upstream/1.7.1, created. upstream/1.7.1 Message-ID: The annotated tag, upstream/1.7.1 has been created at 68c6b3d674df928e0b837d50c18587fbbaac0d15 (tag) tagging faf40d76b8142e959e85e9667064672d911cd878 (commit) replaces upstream/1.7.0 tagged by Russ Allbery on Mon Jun 17 20:35:31 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 1.7.1 Russ Allbery (1): Imported Upstream version 1.7.1 ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From ftpmaster at ftp-master.debian.org Tue Jun 18 04:42:35 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 04:42:35 +0000 Subject: Processing of xml-security-c_1.7.1-1_i386.changes Message-ID: xml-security-c_1.7.1-1_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.7.1-1.dsc xml-security-c_1.7.1.orig.tar.gz xml-security-c_1.7.1-1.debian.tar.xz libxml-security-c17_1.7.1-1_i386.deb libxml-security-c-dev_1.7.1-1_i386.deb xml-security-c-utils_1.7.1-1_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 04:48:23 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 04:48:23 +0000 Subject: xml-security-c_1.7.1-1_i386.changes ACCEPTED into experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2013 21:27:58 -0700 Source: xml-security-c Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils Architecture: source i386 Version: 1.7.1-1 Distribution: experimental Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Changes: xml-security-c (1.7.1-1) experimental; urgency=high . * New upstream release. - Fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) - Fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) - Fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) - Fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) - Reduce entity expansion limits when parsing. - New --id option to the xenc-checksig utility. * Rename the binaries in the xml-security-c-utils package to start with xsec-* instead of xmlsec-*. This reflects the common abbreviation used by the package. Checksums-Sha1: 6aa4f945d377372be46b4a313a4c7036de2ef4d2 1841 xml-security-c_1.7.1-1.dsc 4253f691fe2cde5bc4a3bdf557b9566eb1c769e6 875367 xml-security-c_1.7.1.orig.tar.gz 17b6ddbfc01e507dc46e3aa8ea0c162f6bc4016e 11932 xml-security-c_1.7.1-1.debian.tar.xz a9ed8e54e7ea498519004332ba9c05a590aea94b 286096 libxml-security-c17_1.7.1-1_i386.deb 53bf31f135735dc1a4e77f770583ddca139f0158 110762 libxml-security-c-dev_1.7.1-1_i386.deb a8919b98311177acd6d011286a857eaa5504ca69 122612 xml-security-c-utils_1.7.1-1_i386.deb Checksums-Sha256: d140e13cf5532181cf7c35bf89c996e450ebec2afa8ddc4fb935edb3d90597f2 1841 xml-security-c_1.7.1-1.dsc 3d306660702d620b30605627f970b90667ed967211a8fc26b3243e6d3abeb32e 875367 xml-security-c_1.7.1.orig.tar.gz 096a7a3231e6aa0f2d22ae40adf608230fb336bed205d3d808a079249c4470a5 11932 xml-security-c_1.7.1-1.debian.tar.xz 16fc6f7e41f35b6874c51cdbc4053c8e421c4f3547af5c43968344be1425e382 286096 libxml-security-c17_1.7.1-1_i386.deb 5a1a70565ff675ab9ffd45792529ff14bf72aab1154e644df828183bf2def0dd 110762 libxml-security-c-dev_1.7.1-1_i386.deb 0fbdbc4c908b5c24983889885f851f7b923ba8ed36eef68da03b62d10f617697 122612 xml-security-c-utils_1.7.1-1_i386.deb Files: c34494db2e81cf2e81b733ee29bc6e2c 1841 libs extra xml-security-c_1.7.1-1.dsc cce922e188afcd557636c53c58113bae 875367 libs extra xml-security-c_1.7.1.orig.tar.gz 1ac3f4939b70531398384f2dbca5a9a0 11932 libs extra xml-security-c_1.7.1-1.debian.tar.xz d4dab530ca022ed3d43b47804ad0c21b 286096 libs extra libxml-security-c17_1.7.1-1_i386.deb 47eb510cb43054bf6269f34adb641325 110762 libdevel extra libxml-security-c-dev_1.7.1-1_i386.deb e181455bc78dfd4e05288f82138d1128 122612 utils extra xml-security-c-utils_1.7.1-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRv+PwAAoJEH2AMVxXNt51DsMIAL3a+IKok/U2ptMsKMRrAtU6 +EKQ1c6PcaZn9r1rTslQq1dR4R4542iHZli3aZ6nl/lUywNaze8tHU9J82EQkjtP Afnwb0w9ibDECx9kOGl00kLyWUoH9TROMKNz5Ywl89gou9CfLcOE9u1fLzdlqhzY AWqjfm9URM4LKyEQZKk3XKDEZU1RCo/PBM8PrMB9GwC0f80dztj4cP/2hu0r1zPp ukictis+buhxrs8qcbTEWLg9v5HTvpf/4ThJKf7juci3xkQn7v+oHV5lNV7rEU+S O8xGb3GhLiTHtsa2Rsjh8lF/PWTeu3D6yJoMy06kZyBHWuVdyf+BZWZE8MtbKgs= =GJ5+ -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From rra at debian.org Tue Jun 18 05:04:44 2013 From: rra at debian.org (Russ Allbery) Date: Mon, 17 Jun 2013 22:04:44 -0700 Subject: XML Security C update status Message-ID: <8738sg6mc3.fsf@windlord.stanford.edu> For those following on the mailing list, I have packages prepared for stable and oldstable as well, and am waiting to hear back from the security team about upload permission and timing. I'm also waiting to hear back about whether I should do a separate upload to unstable or let the stable security update take care of it, since currently unstable and stable are at the same version. The new Shibboleth SP package should be coming along tomorrow some time. -- Russ Allbery (rra at debian.org) From rra at debian.org Tue Jun 18 05:44:38 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:38 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, squeeze, updated. debian/1.5.1-3+squeeze1-2-g570de2f Message-ID: The following commit has been merged in the squeeze branch: commit 97670d82b1d2dc285f9c930b445b7bebb0788246 Author: Russ Allbery Date: Sun Jun 16 21:58:48 2013 -0700 Apply upstream security patches * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. (CVE-2013-2156) diff --git a/debian/changelog b/debian/changelog index cd3d26a..85b0199 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high + + * Apply upstream patch to fix a spoofing vulnerability that allows an + attacker to reuse existing signatures with arbitrary content. + (CVE-2013-2153) + * Apply upstream patch to fix a stack overflow in the processing of + malformed XPointer expressions in the XML Signature Reference + processing code. (CVE-2013-2154) + * Apply upstream patch to fix processing of the output length of an + HMAC-based XML Signature that could cause a denial of service when + processing specially chosen input. (CVE-2013-2155) + * Apply upstream patch to fix a heap overflow in the processing of the + PrefixList attribute optionally used in conjunction with Exclusive + Canonicalization, potentially allowing arbitary code execution. + (CVE-2013-2156) + + -- Russ Allbery Sun, 16 Jun 2013 22:20:05 -0700 + xml-security-c (1.5.1-3+squeeze1) stable-security; urgency=high * Apply upstream patch to fix buffer overflow when signing or verifying diff --git a/include/xsec/framework/XSECDefs.hpp b/include/xsec/framework/XSECDefs.hpp index 9b2d938..78686eb 100644 --- a/include/xsec/framework/XSECDefs.hpp +++ b/include/xsec/framework/XSECDefs.hpp @@ -64,6 +64,9 @@ typedef unsigned int xsecsize_t; #endif +// Pending API change, compile in a limit for Xerces SecurityManager entity expansion +#define XSEC_ENTITY_EXPANSION_LIMIT 1000 + // -------------------------------------------------------------------------------- // Namespace Handling diff --git a/src/canon/XSECC14n20010315.cpp b/src/canon/XSECC14n20010315.cpp index 9447686..e1e85e1 100644 --- a/src/canon/XSECC14n20010315.cpp +++ b/src/canon/XSECC14n20010315.cpp @@ -236,6 +236,8 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) { } + ArrayJanitor j_nsBuf(nsBuf); + int i, j; i = 0; @@ -243,21 +245,22 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) { while (xmlnsList[i] != '\0') { while (xmlnsList[i] == ' ' || - xmlnsList[i] == '\0' || xmlnsList[i] == '\t' || xmlnsList[i] == '\r' || - xmlnsList[i] == '\n') + xmlnsList[i] == '\n') { ++i; // Skip white space + } j = 0; while (!(xmlnsList[i] == ' ' || xmlnsList[i] == '\0' || xmlnsList[i] == '\t' || xmlnsList[i] == '\r' || - xmlnsList[i] == '\n')) + xmlnsList[i] == '\n')) { nsBuf[j++] = xmlnsList[i++]; // Copy name + } // Terminate the string nsBuf[j] = '\0'; @@ -277,8 +280,6 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) { } - delete[] nsBuf; - } diff --git a/src/dsig/DSIGAlgorithmHandlerDefault.cpp b/src/dsig/DSIGAlgorithmHandlerDefault.cpp index 7a1fde2..5a886cd 100644 --- a/src/dsig/DSIGAlgorithmHandlerDefault.cpp +++ b/src/dsig/DSIGAlgorithmHandlerDefault.cpp @@ -57,6 +57,15 @@ bool compareBase64StringToRaw(const char * b64Str, // Compare at most maxCompare bits (if maxCompare > 0) // Note - whilst the other parameters are bytes, maxCompare is bits + // The div function below takes signed int, so make sure the value + // is safe to cast. + if ((int) maxCompare < 0) { + + throw XSECException(XSECException::CryptoProviderError, + "Comparison length was unsafe"); + + } + unsigned char outputStr[MAXB64BUFSIZE]; unsigned int outputLen = 0; @@ -123,7 +132,7 @@ bool compareBase64StringToRaw(const char * b64Str, char mask = 0x01; if (maxCompare != 0) { - for (j = 0 ; j < (unsigned int) d.rem; ++i) { + for (j = 0 ; j < (unsigned int) d.rem; ++j) { if ((raw[i] & mask) != (outputStr[i] & mask)) return false; @@ -477,7 +486,7 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer( // Signature already created, so just translate to base 64 and enter string // FIX: CVE-2009-0217 - if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) { + if (outputLength > 0 && (outputLength > hashLen || outputLength < 80 || outputLength < hashLen / 2)) { throw XSECException(XSECException::AlgorithmMapperError, "HMACOutputLength set to unsafe value."); } @@ -584,7 +593,7 @@ bool DSIGAlgorithmHandlerDefault::verifyBase64Signature( // Already done - just compare calculated value with read value // FIX: CVE-2009-0217 - if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) { + if (outputLength > 0 && (outputLength > hashLen || outputLength < 80 || outputLength < hashLen / 2)) { throw XSECException(XSECException::AlgorithmMapperError, "HMACOutputLength set to unsafe value."); } diff --git a/src/dsig/DSIGReference.cpp b/src/dsig/DSIGReference.cpp index 78e43d8..a6cc179 100644 --- a/src/dsig/DSIGReference.cpp +++ b/src/dsig/DSIGReference.cpp @@ -488,17 +488,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc, } else if (URI[9] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen && - URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i && - URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d && - URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen && - URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) { + URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i && + URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d && + URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen && + URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) { xsecsize_t len = XMLString::stringLen(&URI[14]); - XMLCh tmp[512]; - - if (len > 511) - len = 511; + XMLCh* tmp = new XMLCh[len + 1]; + ArrayJanitor j_tmp(tmp); xsecsize_t j = 14, i = 0; @@ -602,9 +600,14 @@ void DSIGReference::load(void) { // Now check for Transforms tmpElt = mp_referenceNode->getFirstChild(); - while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpElt = tmpElt->getNextSibling(); + } if (tmpElt == 0) { @@ -623,13 +626,19 @@ void DSIGReference::load(void) { // Find next node tmpElt = tmpElt->getNextSibling(); - while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpElt = tmpElt->getNextSibling(); + } } /* if tmpElt node type = transforms */ - else + else { mp_transformList = NULL; + } if (tmpElt == NULL || !strEquals(getDSIGLocalName(tmpElt), "DigestMethod")) { @@ -664,8 +673,14 @@ void DSIGReference::load(void) { tmpElt = tmpElt->getNextSibling(); - while (tmpElt != 0 && !(strEquals(getDSIGLocalName(tmpElt), "DigestValue"))) + while (tmpElt != 0 && + (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpElt), "DigestValue"))) { + if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpElt = tmpElt->getNextSibling(); + } if (tmpElt == 0) { @@ -703,8 +718,13 @@ void DSIGReference::load(void) { // Find Manifest child manifestNode = manifestNode->getFirstChild(); - while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE) + while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE) { + if (manifestNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } manifestNode = manifestNode->getNextSibling(); + } if (manifestNode == 0 || !strEquals(getDSIGLocalName(manifestNode), "Manifest")) throw XSECException(XSECException::ExpectedDSIGChildNotFound, @@ -715,8 +735,14 @@ void DSIGReference::load(void) { // Now have the manifest node, find the first reference and load! referenceNode = manifestNode->getFirstChild(); - while (referenceNode != 0 && !strEquals(getDSIGLocalName(referenceNode), "Reference")) + while (referenceNode != 0 && + (referenceNode->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(referenceNode), "Reference"))) { + if (referenceNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } referenceNode = referenceNode->getNextSibling(); + } if (referenceNode == 0) throw XSECException(XSECException::ExpectedDSIGChildNotFound, @@ -769,8 +795,13 @@ DSIGReferenceList *DSIGReference::loadReferenceListFromXML(const XSECEnv * env, // Find next element Node tmpRef = tmpRef->getNextSibling(); - while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE) + while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE) { + if (tmpRef->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpRef = tmpRef->getNextSibling(); + } } diff --git a/src/dsig/DSIGSignedInfo.cpp b/src/dsig/DSIGSignedInfo.cpp index 494cfb8..3e141b3 100644 --- a/src/dsig/DSIGSignedInfo.cpp +++ b/src/dsig/DSIGSignedInfo.cpp @@ -284,9 +284,14 @@ void DSIGSignedInfo::load(void) { // Check for CanonicalizationMethod - while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpSI = tmpSI->getNextSibling(); + } if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "CanonicalizationMethod")) { @@ -347,17 +352,23 @@ void DSIGSignedInfo::load(void) { } - else + else { throw XSECException(XSECException::UnknownCanonicalization); + } // Now load the SignatureMethod tmpSI = tmpSI->getNextSibling(); - while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpSI = tmpSI->getNextSibling(); + } if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "SignatureMethod")) { @@ -391,10 +402,14 @@ void DSIGSignedInfo::load(void) { * longer know at this point if this is an HMAC, we need to check. */ DOMNode *tmpSOV = tmpSI->getFirstChild(); - while (tmpSOV != NULL && - tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE && - !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength")) + while (tmpSOV != NULL && + (tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength"))) { + if (tmpSOV->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } tmpSOV = tmpSOV->getNextSibling(); + } if (tmpSOV != NULL) { @@ -418,9 +433,14 @@ void DSIGSignedInfo::load(void) { // Run through the rest of the elements until done - while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) + while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) { + if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) { + throw XSECException(XSECException::ExpectedDSIGChildNotFound, + "EntityReference nodes in are unsupported."); + } // Skip text and comments tmpSI = tmpSI->getNextSibling(); + } if (tmpSI != NULL) { diff --git a/src/transformers/TXFMParser.cpp b/src/transformers/TXFMParser.cpp index 3a7ef32..c3cb842 100644 --- a/src/transformers/TXFMParser.cpp +++ b/src/transformers/TXFMParser.cpp @@ -111,8 +111,11 @@ void TXFMParser::setInput(TXFMBase *newInput) { XercesDOMParser parser; parser.setDoNamespaces(true); - parser.setCreateEntityReferenceNodes(true); - parser.setDoSchema(true); + parser.setLoadExternalDTD(false); + + SecurityManager securityManager; + securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT); + parser.setSecurityManager(&securityManager); parser.parse(is); xsecsize_t errorCount = parser.getErrorCount(); diff --git a/src/transformers/TXFMXSL.cpp b/src/transformers/TXFMXSL.cpp index 63e8206..89cb45e 100644 --- a/src/transformers/TXFMXSL.cpp +++ b/src/transformers/TXFMXSL.cpp @@ -180,8 +180,12 @@ void TXFMXSL::evaluateStyleSheet(const safeBuffer &sbStyleSheet) { parser->setDoNamespaces(true); parser->setCreateEntityReferenceNodes(true); + parser->setLoadExternalDTD(false); parser->setDoSchema(true); + SecurityManager securityManager; + parser->setSecurityManager(&securityManager); + // Create an input source MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) txoh.buffer.rawBuffer(), txoh.offset, "XSECMem"); diff --git a/src/utils/XSECSOAPRequestorSimple.cpp b/src/utils/XSECSOAPRequestorSimple.cpp index cae2ae6..405a00d 100644 --- a/src/utils/XSECSOAPRequestorSimple.cpp +++ b/src/utils/XSECSOAPRequestorSimple.cpp @@ -213,31 +213,31 @@ char * XSECSOAPRequestorSimple::wrapAndSerialise(DOMDocument * request) { DOMDocument * XSECSOAPRequestorSimple::parseAndUnwrap(const char * buf, unsigned int len) { - XercesDOMParser * parser = new XercesDOMParser; - Janitor j_parser(parser); + XercesDOMParser parser; + parser.setDoNamespaces(true); + parser.setLoadExternalDTD(false); - parser->setDoNamespaces(true); - parser->setCreateEntityReferenceNodes(true); - parser->setDoSchema(true); + SecurityManager securityManager; + securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT); + parser.setSecurityManager(&securityManager); // Create an input source - MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) buf, len, "XSECMem"); - Janitor j_memIS(memIS); + MemBufInputSource memIS((const XMLByte*) buf, len, "XSECMem"); - parser->parse(*memIS); - xsecsize_t errorCount = parser->getErrorCount(); + parser.parse(memIS); + xsecsize_t errorCount = parser.getErrorCount(); if (errorCount > 0) throw XSECException(XSECException::HTTPURIInputStreamError, "Error parsing response message"); if (m_envelopeType == ENVELOPE_NONE) { - return parser->adoptDocument(); + return parser.adoptDocument(); } - DOMDocument * responseDoc = parser->getDocument(); + DOMDocument * responseDoc = parser.getDocument(); // Must be a SOAP message of some kind - so lets remove the wrapper. // First create a new document for the Response message diff --git a/src/xenc/impl/XENCCipherImpl.cpp b/src/xenc/impl/XENCCipherImpl.cpp index 5db1d63..f1a0e2a 100644 --- a/src/xenc/impl/XENCCipherImpl.cpp +++ b/src/xenc/impl/XENCCipherImpl.cpp @@ -303,9 +303,6 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode * sbt.sbStrcatIn(&crcb[offset]); - // Now transform the content to UTF-8 - //sb.sbXMLChCat8(content.rawCharBuffer()); - // Terminate the string sb.sbXMLChIn(DSIGConstants::s_unicodeStrEmpty); @@ -318,27 +315,26 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode * ArrayJanitor j_trailer(trailer); sbt.sbStrcatIn(trailer); - // Now we need to parse the document - - XercesDOMParser * parser = new XercesDOMParser; - Janitor j_parser(parser); - - parser->setDoNamespaces(true); - parser->setCreateEntityReferenceNodes(true); - parser->setDoSchema(false); - // Create an input source xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer()); MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem"); Janitor j_memIS(memIS); - parser->parse(*memIS); - xsecsize_t errorCount = parser->getErrorCount(); + XercesDOMParser parser; + parser.setDoNamespaces(true); + parser.setLoadExternalDTD(false); + + SecurityManager securityManager; + securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT); + parser.setSecurityManager(&securityManager); + + parser.parse(*memIS); + xsecsize_t errorCount = parser.getErrorCount(); if (errorCount > 0) throw XSECException(XSECException::CipherError, "Errors occured during de-serialisation of decrypted element content"); - DOMDocument * doc = parser->getDocument(); + DOMDocument * doc = parser.getDocument(); // Create a DocumentFragment to hold the children of the parsed doc element DOMDocument *ctxDocument = ctx->getOwnerDocument(); -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:38 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:38 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, squeeze, updated. debian/1.5.1-3+squeeze1-2-g570de2f Message-ID: The following commit has been merged in the squeeze branch: commit 570de2f65d23d88c60c63e97dde6ff09f68c93f2 Author: Russ Allbery Date: Mon Jun 17 22:32:34 2013 -0700 Fix typo in changelog diff --git a/debian/changelog b/debian/changelog index 85b0199..f863265 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,10 +11,10 @@ xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive - Canonicalization, potentially allowing arbitary code execution. + Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) - -- Russ Allbery Sun, 16 Jun 2013 22:20:05 -0700 + -- Russ Allbery Mon, 17 Jun 2013 22:32:25 -0700 xml-security-c (1.5.1-3+squeeze1) stable-security; urgency=high -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:44 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:44 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, fixes/utility-names, created. upstream/1.7.1-1-g4771f62 Message-ID: The branch, fixes/utility-names has been created at 4771f62eb224cf0182db18ec775d99876b833097 (commit) - Shortlog ------------------------------------------------------------ ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:45 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:45 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, wheezy, created. debian/1.6.1-5-2-g9577046 Message-ID: The branch, wheezy has been created at 9577046aea8cb49e2e7b9d32ad78c97b2640fb81 (commit) - Shortlog ------------------------------------------------------------ commit 9577046aea8cb49e2e7b9d32ad78c97b2640fb81 Author: Russ Allbery Date: Mon Jun 17 22:25:47 2013 -0700 Fix typo in changelog commit 330b65e4104e1744b6ee9b4e4a49bbc97ccbd563 Author: Russ Allbery Date: Sun Jun 16 21:58:48 2013 -0700 Apply upstream security patches * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. (CVE-2013-2156) ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:45 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:45 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, jessie, created. debian/1.6.1-5-1-gb746ed0 Message-ID: The branch, jessie has been created at b746ed0682ae68d877ef6b5c83065c9e0af34efa (commit) - Shortlog ------------------------------------------------------------ commit b746ed0682ae68d877ef6b5c83065c9e0af34efa Author: Russ Allbery Date: Sun Jun 16 21:58:48 2013 -0700 Apply upstream security patches * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:51 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:51 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.5.1-3+squeeze2, created. debian/1.5.1-3+squeeze2 Message-ID: The annotated tag, debian/1.5.1-3+squeeze2 has been created at 68ba2cd7aa3142ad756094044e1f599c29572ea6 (tag) tagging 570de2f65d23d88c60c63e97dde6ff09f68c93f2 (commit) replaces debian/1.5.1-3+squeeze1 tagged by Russ Allbery on Mon Jun 17 22:36:22 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.5.1-3+squeeze2 Format: 1.8 Date: Mon, 17 Jun 2013 22:32:25 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze2 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 3ce5cbbc8f4b7a7b4dc35b7f31fb2a0177579f4f 1130 xml-security-c_1.5.1-3+squeeze2.dsc 448c817fd7f23a7af95d8140c3acb873c4742ccd 11409 xml-security-c_1.5.1-3+squeeze2.diff.gz 56f6a0843ed407e7f1251fea0ffe55467531f767 353826 libxml-security-c15_1.5.1-3+squeeze2_i386.deb 440a28a29bbed621517031025dfb6fc2d8deeb7c 141818 libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Checksums-Sha256: b93c0c02cd99f460e631452116319c693b3f6f10a5987a1b8d1f17d943c879af 1130 xml-security-c_1.5.1-3+squeeze2.dsc 84a63e5ab73d1bb411ac13c37378321fa75aa99b6702293fffbee178bbd4865b 11409 xml-security-c_1.5.1-3+squeeze2.diff.gz a7f27e86e2699926ce4e77801190725939f2769b53e585f29167acfa361e6b88 353826 libxml-security-c15_1.5.1-3+squeeze2_i386.deb 9c245f62b344db23bf222dfe99ce82a42bc820ed72d0e054033919c5d4af8efb 141818 libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Files: 62e66f9ee91a9eace826cf2805d20fc7 1130 libs extra xml-security-c_1.5.1-3+squeeze2.dsc b89ef9b4f5e5b7fbf3cc47d7d313fe99 11409 libs extra xml-security-c_1.5.1-3+squeeze2.diff.gz f2810505d4c302e9d3773ba57ad6bf76 353826 libs extra libxml-security-c15_1.5.1-3+squeeze2_i386.deb 433a487e2e0c68589971bc1f4b9b6d43 141818 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRv/HyAAoJEH2AMVxXNt5188cIAKFBsjRJD4ilrmIcKsm80an1 Tp5wqdh16/jGzXRgxmY9r5VzEVn5/IA2YOBMf38wrd4oQ2/6tF6MgqjDIuuqiGl6 ljhF26gET60WntrdYmnet0ub4E1JDTC9vjE3EQOaiJV2GfCF583qNDiJmsTRU2Mv ZpUdgyhRpMGgVjdFISsAhEhYikaRybaHBHVe4XaKpdV4gFvks5KEs6NHBZk970Lz SVeS9esQ5ie1ALE4fLe9nrAbZukWok4o0wGwITNrSKmoIXobLrhyIBz2GJpNX7Ag Nwbq5nwG/ZWfgo3fM/fKql9kpm91oP/hkJYKYQTjSUCWIDInpRFzM1zcJhBlb54= =THGU -----END PGP SIGNATURE----- Russ Allbery (2): Apply upstream security patches Fix typo in changelog ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:51 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:51 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.6.1-5+deb7u1, created. debian/1.6.1-5+deb7u1 Message-ID: The annotated tag, debian/1.6.1-5+deb7u1 has been created at 06e25d58223fa2604dfb0b4a926c8bea19a57573 (tag) tagging 9577046aea8cb49e2e7b9d32ad78c97b2640fb81 (commit) replaces debian/1.6.1-5 tagged by Russ Allbery on Mon Jun 17 22:30:31 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.6.1-5+deb7u1 Format: 1.8 Date: Mon, 17 Jun 2013 22:25:32 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u1 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: fc28ad2fad0f51aae7b444d34d926e336e638b23 1273 xml-security-c_1.6.1-5+deb7u1.dsc 239304659752eb214f3516b6c457c99f0e6467c7 864366 xml-security-c_1.6.1.orig.tar.gz e02663825c4d0a2fe7eec4213debf7ec4f394054 11874 xml-security-c_1.6.1-5+deb7u1.debian.tar.gz 58d74341079e57ef9f70e54c6507c1205716855c 375248 libxml-security-c16_1.6.1-5+deb7u1_i386.deb 50b76eba534719931db9a90ca71c70964b562cd9 151234 libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Checksums-Sha256: b361cea1856f162fcf9e598c3f1d84a57fadf7bc5082e0e67b7e0392554dacd2 1273 xml-security-c_1.6.1-5+deb7u1.dsc 73931a55d6925a82416ea48f8d6f1b8ed591368e1dfc30574fe43904b7c62fcd 864366 xml-security-c_1.6.1.orig.tar.gz 92d65c29ca6c41c79261ded82d2678efb79981aff2e138f41643acb0bb475639 11874 xml-security-c_1.6.1-5+deb7u1.debian.tar.gz d094000713051e96172328fad12d450e3c994240b63032e92101e4c6b0e52f32 375248 libxml-security-c16_1.6.1-5+deb7u1_i386.deb 0014888e3a485f34986aeae43832a9a1c97b85f0bdff4fd8d14d1ca28c4a2127 151234 libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Files: 2370aa261cebd861d08f4ad96fd6a3b1 1273 libs extra xml-security-c_1.6.1-5+deb7u1.dsc 808316c80a7453b6d50a0bceb7ebe9bc 864366 libs extra xml-security-c_1.6.1.orig.tar.gz 1395788da13ab0999ebdd2dfab74e73a 11874 libs extra xml-security-c_1.6.1-5+deb7u1.debian.tar.gz e7678e819e9f964c703e9961bc595f23 375248 libs extra libxml-security-c16_1.6.1-5+deb7u1_i386.deb eb14d6a5a5c59d0f111f5533c49118a5 151234 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRv/CFAAoJEH2AMVxXNt51ZLMH/1rdxhBI3QrXdlC4CMOUOLcG fvc4bjR/4gqG+amyaZDVZkDccpSoVuqgAP7Z9jzZ9YnahJ3ocSxqHpY0I0p0xFik tmmaJR4Nb4gt8/0cS5b1gKYaKRkSsZaeBWQIqjo5n9R9ntM59Bc3kniIP6xfKk78 /1s0D7tDghZu7daqe9yH9daEyg8rTxfyd+sXOh+35zT1JwDDr9XnqUy+dbyRoWIC TpA2+HRW+2eOVGZ+dDGEubk7bzhAsfy7okoGIMOe4TqE0ipLY44+V5h9llt57wCq 87HVEUZpeUKFVhMUq+cSvMDys30rCOvyiEfeRJITcJhI6btO+uzyt9KglbUnkrU= =y4on -----END PGP SIGNATURE----- Russ Allbery (2): Apply upstream security patches Fix typo in changelog ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:44:51 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 05:44:51 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.6.1-6, created. debian/1.6.1-6 Message-ID: The annotated tag, debian/1.6.1-6 has been created at f0ac2e37bb7c3f96090144cc5ded091c854a2814 (tag) tagging b746ed0682ae68d877ef6b5c83065c9e0af34efa (commit) replaces debian/1.6.1-5 tagged by Russ Allbery on Mon Jun 17 22:43:39 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.6.1-6 Format: 1.8 Date: Mon, 17 Jun 2013 22:25:32 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-6 Distribution: unstable Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.6.1-6) unstable; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 7d5f77229ba8baecb55ee651a99828a04346e914 1245 xml-security-c_1.6.1-6.dsc 461ca76f00d5bc93bf4f8b4b1b2f610e2a538559 11710 xml-security-c_1.6.1-6.debian.tar.gz 8cb9168d96ee39c928f8e8b299e4c0e23b8ff703 369536 libxml-security-c16_1.6.1-6_i386.deb f5c6826e8726831f1e21a0fa2bc244c11a37e0ba 151214 libxml-security-c-dev_1.6.1-6_i386.deb Checksums-Sha256: 292c6b003aa0de95593461ddd8aaece722d8b79a28bbb0013a3a3ce13bd0d4a2 1245 xml-security-c_1.6.1-6.dsc da3a4a694679319645aaf8a68cd95d0958b0fdf9b226655048a5be77faac5330 11710 xml-security-c_1.6.1-6.debian.tar.gz a6d85dcf7c716ce53a9a3e3d15868455c9e97a8d7d7e55ff01fe51aa4c569d7d 369536 libxml-security-c16_1.6.1-6_i386.deb de89b954941647b8cd1cf31366b87306391a431d514173b8bcf6dcfa5a770d34 151214 libxml-security-c-dev_1.6.1-6_i386.deb Files: bc22772d002f1fee985a43585335d0d4 1245 libs extra xml-security-c_1.6.1-6.dsc ef0a096023f4fd1509a522d53dd39ffb 11710 libs extra xml-security-c_1.6.1-6.debian.tar.gz e582ebb337b3162556b8accea649bc72 369536 libs extra libxml-security-c16_1.6.1-6_i386.deb 858ea72ce94a2d4bab88dd2eec1481ac 151214 libdevel extra libxml-security-c-dev_1.6.1-6_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRv/OeAAoJEH2AMVxXNt510FoH/iD3nuY+Z2O7Nn7m4q6h/4CS VzdSlmq4g079LUcJm+5jumfc7GvKMW/UZvAi8p8nbNbebeCH+NBl7rCYOEVzT9UN RROwJS84LtLtWccbZcPXLNXjxR4ArFbuCvSFlUkMVfoigyUNuAJVtiNX2dRRJ5y5 ECAtcBKGGe1nnC1P8zA1nn3khulsxlUAffKqcsNfmLJuldYpO/ixrWDESDwAjiwd wflbCNA4Vm3c+whQXKtjDMVuiH7Y7ym4fP2Q/BnH8Qwy33Ztecw6usgCpNpvAXCI Tq6/pVpBD/dEPGEZ8R9DAHUwp1j6KcXcn8sCuxVrGVeF9s8UB4ZrVMZtX7SUk+s= =KEuO -----END PGP SIGNATURE----- Russ Allbery (1): Apply upstream security patches ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 05:46:47 2013 From: rra at debian.org (Russ Allbery) Date: Mon, 17 Jun 2013 22:46:47 -0700 Subject: XML Security C update status In-Reply-To: <8738sg6mc3.fsf@windlord.stanford.edu> (Russ Allbery's message of "Mon, 17 Jun 2013 22:04:44 -0700") References: <8738sg6mc3.fsf@windlord.stanford.edu> Message-ID: <87fvwg55tk.fsf@windlord.stanford.edu> Russ Allbery writes: > For those following on the mailing list, I have packages prepared for > stable and oldstable as well, and am waiting to hear back from the > security team about upload permission and timing. I'm also waiting to > hear back about whether I should do a separate upload to unstable or let > the stable security update take care of it, since currently unstable and > stable are at the same version. > The new Shibboleth SP package should be coming along tomorrow some time. stable and oldstable updates are now in the hands of the security team for builds and an advisory. I've uploaded 1.6.1-6 to unstable for unstable and testing until we get clearance for the 1.7 transition. Thanks very much to Scott for all of the help and information throughout. -- Russ Allbery (rra at debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 05:47:44 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 05:47:44 +0000 Subject: Processing of xml-security-c_1.6.1-6_i386.changes Message-ID: xml-security-c_1.6.1-6_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.6.1-6.dsc xml-security-c_1.6.1-6.debian.tar.gz libxml-security-c16_1.6.1-6_i386.deb libxml-security-c-dev_1.6.1-6_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 05:48:08 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 05:48:08 +0000 Subject: xml-security-c_1.6.1-6_i386.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2013 22:25:32 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-6 Distribution: unstable Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.6.1-6) unstable; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 45ba1595af8e204374ee77fd7b56914c8f1c5059 1785 xml-security-c_1.6.1-6.dsc 461ca76f00d5bc93bf4f8b4b1b2f610e2a538559 11710 xml-security-c_1.6.1-6.debian.tar.gz 8cb9168d96ee39c928f8e8b299e4c0e23b8ff703 369536 libxml-security-c16_1.6.1-6_i386.deb f5c6826e8726831f1e21a0fa2bc244c11a37e0ba 151214 libxml-security-c-dev_1.6.1-6_i386.deb Checksums-Sha256: 9550bfa8eb7d9af144c88e02afb30afd057ba6d9edcbe43db5ece49e6cc353e1 1785 xml-security-c_1.6.1-6.dsc da3a4a694679319645aaf8a68cd95d0958b0fdf9b226655048a5be77faac5330 11710 xml-security-c_1.6.1-6.debian.tar.gz a6d85dcf7c716ce53a9a3e3d15868455c9e97a8d7d7e55ff01fe51aa4c569d7d 369536 libxml-security-c16_1.6.1-6_i386.deb de89b954941647b8cd1cf31366b87306391a431d514173b8bcf6dcfa5a770d34 151214 libxml-security-c-dev_1.6.1-6_i386.deb Files: 914b262f3607b20c018edef6b372ac17 1785 libs extra xml-security-c_1.6.1-6.dsc ef0a096023f4fd1509a522d53dd39ffb 11710 libs extra xml-security-c_1.6.1-6.debian.tar.gz e582ebb337b3162556b8accea649bc72 369536 libs extra libxml-security-c16_1.6.1-6_i386.deb 858ea72ce94a2d4bab88dd2eec1481ac 151214 libdevel extra libxml-security-c-dev_1.6.1-6_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRv/OpAAoJEH2AMVxXNt51hnsH/ipPq2Gsw8YorIf3w8+1Xl4Q pgL6QtBKyjqui962qqVWm8b5sBrhLKNADW5OJbT+BqurbFHmqGsjHwtZdveFcDU4 MPF1b+mPpHD6Akgy6e9yOvrFTlcO7RMghdvxO9klsHMzCTC2mB2kecgTvVZDo4HH 2FpDCop/lAlkSmfJ6GDdqOK/UMFUC7SU3+1RrJQVJnTi1+VjwQ+F4ib1GytQzCKt xbfumNE1mG8QJtv5WG51aeiKeHVn/ciBCAppH7/1kOeM5PHbCqaxPXk1RuJKVJhB qWjnwS250skVNpr7wk/QjN+j8TGKPSQFA54OR+FdhXDFB8guhUkbTWx1/WhGd/k= =5r2m -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Tue Jun 18 15:45:03 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 15:45:03 +0000 Subject: Processing of xml-security-c_1.5.1-3+squeeze2_i386.changes Message-ID: xml-security-c_1.5.1-3+squeeze2_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.5.1-3+squeeze2.dsc xml-security-c_1.5.1-3+squeeze2.diff.gz libxml-security-c15_1.5.1-3+squeeze2_i386.deb libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 15:45:09 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 15:45:09 +0000 Subject: Processing of xml-security-c_1.6.1-5+deb7u1_i386.changes Message-ID: xml-security-c_1.6.1-5+deb7u1_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.6.1-5+deb7u1.dsc xml-security-c_1.6.1.orig.tar.gz xml-security-c_1.6.1-5+deb7u1.debian.tar.gz libxml-security-c16_1.6.1-5+deb7u1_i386.deb libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 15:49:19 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 15:49:19 +0000 Subject: xml-security-c_1.5.1-3+squeeze2_i386.changes ACCEPTED into oldstable-proposed-updates->oldstable-new Message-ID: Mapping oldstable-security to oldstable-proposed-updates. Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2013 22:32:25 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze2 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 67c5be50327dc2e9116c9c769dee0e9eb9aeffc5 1670 xml-security-c_1.5.1-3+squeeze2.dsc 448c817fd7f23a7af95d8140c3acb873c4742ccd 11409 xml-security-c_1.5.1-3+squeeze2.diff.gz 56f6a0843ed407e7f1251fea0ffe55467531f767 353826 libxml-security-c15_1.5.1-3+squeeze2_i386.deb 440a28a29bbed621517031025dfb6fc2d8deeb7c 141818 libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Checksums-Sha256: c7d1e604f59223eb072c9afe44c541b7ef7fe284793335092ffa945aeaef5205 1670 xml-security-c_1.5.1-3+squeeze2.dsc 84a63e5ab73d1bb411ac13c37378321fa75aa99b6702293fffbee178bbd4865b 11409 xml-security-c_1.5.1-3+squeeze2.diff.gz a7f27e86e2699926ce4e77801190725939f2769b53e585f29167acfa361e6b88 353826 libxml-security-c15_1.5.1-3+squeeze2_i386.deb 9c245f62b344db23bf222dfe99ce82a42bc820ed72d0e054033919c5d4af8efb 141818 libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Files: 911c68dd89f18793c4cc50fc34b77efa 1670 libs extra xml-security-c_1.5.1-3+squeeze2.dsc b89ef9b4f5e5b7fbf3cc47d7d313fe99 11409 libs extra xml-security-c_1.5.1-3+squeeze2.diff.gz f2810505d4c302e9d3773ba57ad6bf76 353826 libs extra libxml-security-c15_1.5.1-3+squeeze2_i386.deb 433a487e2e0c68589971bc1f4b9b6d43 141818 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRv/IIAAoJEH2AMVxXNt51jZsH/RVeZodvEArMO1CjyypWUGpI WW3aMHwjtiNJJUwMNP0LxMjFy23p6bsEDRN82nIPgvMAQc28VBLplrARwS3blYkS +ESCBAb0NTkSoLL4KGJh2c7j79b7U6idYkxfZBKvjzBElH+dMy19aNFZhTHeqVN4 AOuFP2uwrsT9ZqMLIo78+pWqA5DjDfGUwJ1zJhhEluAg/ezXXHCvoZsHXXeEGho4 60IBA8OoS3lABa9MbOhkMY+WowiO1pp8BS+YTovH2xSZNnnihyX+1g3Wrg194uCH gEwOqECDHdh4KXX9Cz1ePwGCP8gy4wyAVwf4m+xn1SHjVOrz9Gt0O3SUuA72YA8= =rajy -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Tue Jun 18 15:49:38 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 15:49:38 +0000 Subject: xml-security-c_1.6.1-5+deb7u1_i386.changes ACCEPTED into proposed-updates->stable-new Message-ID: Mapping stable-security to proposed-updates. Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2013 22:25:32 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u1 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 672c4fe4d84e7a242039fce066dd0e48270db1b8 1813 xml-security-c_1.6.1-5+deb7u1.dsc 239304659752eb214f3516b6c457c99f0e6467c7 864366 xml-security-c_1.6.1.orig.tar.gz e02663825c4d0a2fe7eec4213debf7ec4f394054 11874 xml-security-c_1.6.1-5+deb7u1.debian.tar.gz 58d74341079e57ef9f70e54c6507c1205716855c 375248 libxml-security-c16_1.6.1-5+deb7u1_i386.deb 50b76eba534719931db9a90ca71c70964b562cd9 151234 libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Checksums-Sha256: 30c8e9b3c4080a46128eaa1f180ffb923205c2be7787909a17d78a82b5cd9484 1813 xml-security-c_1.6.1-5+deb7u1.dsc 73931a55d6925a82416ea48f8d6f1b8ed591368e1dfc30574fe43904b7c62fcd 864366 xml-security-c_1.6.1.orig.tar.gz 92d65c29ca6c41c79261ded82d2678efb79981aff2e138f41643acb0bb475639 11874 xml-security-c_1.6.1-5+deb7u1.debian.tar.gz d094000713051e96172328fad12d450e3c994240b63032e92101e4c6b0e52f32 375248 libxml-security-c16_1.6.1-5+deb7u1_i386.deb 0014888e3a485f34986aeae43832a9a1c97b85f0bdff4fd8d14d1ca28c4a2127 151234 libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Files: 774319332f2f8881d79d18d99a407c84 1813 libs extra xml-security-c_1.6.1-5+deb7u1.dsc 808316c80a7453b6d50a0bceb7ebe9bc 864366 libs extra xml-security-c_1.6.1.orig.tar.gz 1395788da13ab0999ebdd2dfab74e73a 11874 libs extra xml-security-c_1.6.1-5+deb7u1.debian.tar.gz e7678e819e9f964c703e9961bc595f23 375248 libs extra libxml-security-c16_1.6.1-5+deb7u1_i386.deb eb14d6a5a5c59d0f111f5533c49118a5 151234 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRv/CfAAoJEH2AMVxXNt51dIUH/20gzEXtzDU8F4zBjX53D7Rz 3m9BTjIfs4f0KldFSnj6JKSS3zxbTHWJy+8rHyjNq6xaw6pFEFeSRisxoI+JZTHp VNmKSFYG10hMauPtXHp0lEVsAYyxiRe55JdMv8VHXy1Q+wJf209ydwO0aKbabOti IVtGuAV87Vtauq+hluDGYMEU2iFWvC0F+StPyJS1StyqoCKBPN97ZvgdzHPQeTYh dDOEHoCjmXRW1iEyhXHd/gBI0Jb9jmjPKVdSOSy+4xBDZP3D6qGIDaXxMSvvPHmL FMvb2GCkCWkSX/GoHGg4usQThkxtHlU7KqSuZnT8jclZR+o9qGzlsKquEYCFHiA= =BSqf -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Tue Jun 18 18:00:37 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 18:00:37 +0000 Subject: Processing of xml-security-c_1.6.1-5+deb7u1~bpo60+1_i386.changes Message-ID: xml-security-c_1.6.1-5+deb7u1~bpo60+1_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 18:03:24 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 18:03:24 +0000 Subject: xml-security-c_1.6.1-5+deb7u1~bpo60+1_i386.changes ACCEPTED into squeeze-backports->backports-policy Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Jun 2013 10:39:10 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u1~bpo60+1 Distribution: squeeze-backports Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 656658 Changes: xml-security-c (1.6.1-5+deb7u1~bpo60+1) squeeze-backports; urgency=high . * Backport to oldstable. * Revert the change to use multiarch and force a non-multiarch libdir. * Relax versioned dependency on libssl-dev to build on squeeze. . xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) . xml-security-c (1.6.1-5) unstable; urgency=low . * Revert changes to add symbols file. Due to churn in weak symbols for inlined functions, it doesn't appear maintainanable with existing tools, and for this library the shlibs behavior seems sufficient. * Minor update to the format of the debian/copyright file. . xml-security-c (1.6.1-4) unstable; urgency=low . * Update symbols files for all non-i386 architectures currently built by the buildds except mipsel (which will hopefully be the same as mips). * Build-Depend on pkg-kde-tools and use its symbolhelper plugin so that the package can use the output of pkgkde-symbolshelper. . xml-security-c (1.6.1-3) unstable; urgency=low . * Also enable bindnow hardening build flags and use the correct syntax to add additional hardening flags. * Add symbols file constructed with pkgkde-symbolshelper. Add a README.source file with a pointer to the documentation. . xml-security-c (1.6.1-2) unstable; urgency=low . * Update to debhelper compatibility level V9. - Enable hardening build flags. (Closes: #656658) - Enable multiarch support. Checksums-Sha1: 960a84ee63c4b7ccdf098fc9de6552e9885be85b 1743 xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc 58855d31c6aabc112165e2f35116589e84b3d9f9 12203 xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 09ea23c1d08e42ca3143ae7eb81591e3fc1b712d 384304 libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb 5e90bf5b17d1dd65f972f360b3dc3d3203be160f 151282 libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Checksums-Sha256: 4bb24c43352f89c08e1aa00a5653fa071b533302d79695a2fdc6580ae6131486 1743 xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc ee43548db383216aa01a2703c63c0e247be4ede97d267de4d007747c36b7e0b5 12203 xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 7d37fd65ecc0c4f847786f1805e8b56d2e2f7756c1c577a9ae632d0755cfeda0 384304 libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb 49b5db1a76369d219e8c09885815c5647cb0281b594ff802446b1482c7ef4a76 151282 libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Files: 4dd12b52976d3b57a182ced695922a5b 1743 libs extra xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc 015223ec5a23f87d2a47a2535b46d21c 12203 libs extra xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 977abbbceff52e69802988ea4f4de7ab 384304 libs extra libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb bc244e9a8d0dfb14883cf54e45161ac0 151282 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRwJ6tAAoJEH2AMVxXNt513RMH+wdf3M3khUcsY+idoXwu7awW 1+PeZDEKX9s5cmKcBYNR3PJA+7dGw/S5xwOnBn+iDfEM6N0YpFFeqn7ZBJ7PQ/zj zkeqdpVidWwgg3YXbrjeFPL4u00geLhdqiyqupwYS4bxyuWMGABDaTqV9TEWiQMg RmdYdMUD+JYV6OZFULR9R9uAlPWcRSyy+iubC/PQHyxyeA4oINEEnQNGWjDtjtRf zHGjhitEIjiJfi1OTFILWJoSjTjTl1ejwdrTbp7XUopOIWaesAv6lwxyJS95F6h5 ZwNyQhRD/fCrweJUTHcx/OBaxUPadaPX+7/W8Hg8OJ5nQmJ766sA9puCYQ6mTSY= =zKy3 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From rra at debian.org Tue Jun 18 18:03:56 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 18:03:56 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, squeeze-backports, created. debian/1.6.1-5+deb7u1-2-g112cb34 Message-ID: The branch, squeeze-backports has been created at 112cb3461ddd1848ce983d0719e5a5566bec7768 (commit) - Shortlog ------------------------------------------------------------ commit 112cb3461ddd1848ce983d0719e5a5566bec7768 Author: Russ Allbery Date: Tue Jun 18 10:39:15 2013 -0700 Relax versioned dependency on libssl-dev to build on squeeze commit f845dd10dde10b2cfd98452f504f951ab932d207 Author: Russ Allbery Date: Tue Jun 18 10:38:36 2013 -0700 Start backport and revert multiarch changes ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 18:04:04 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 18:04:04 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.6.1-5+deb7u1_bpo60+1, created. debian/1.6.1-5+deb7u1_bpo60+1 Message-ID: The annotated tag, debian/1.6.1-5+deb7u1_bpo60+1 has been created at 0ffc3fc488d829aabf7d89cb59a06be326eb982d (tag) tagging 112cb3461ddd1848ce983d0719e5a5566bec7768 (commit) replaces debian/1.6.1-5+deb7u1 tagged by Russ Allbery on Tue Jun 18 11:03:32 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.6.1-5+deb7u1~bpo60+1 Format: 1.8 Date: Tue, 18 Jun 2013 10:39:10 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u1~bpo60+1 Distribution: squeeze-backports Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 656658 Changes: xml-security-c (1.6.1-5+deb7u1~bpo60+1) squeeze-backports; urgency=high . * Backport to oldstable. * Revert the change to use multiarch and force a non-multiarch libdir. * Relax versioned dependency on libssl-dev to build on squeeze. . xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) . xml-security-c (1.6.1-5) unstable; urgency=low . * Revert changes to add symbols file. Due to churn in weak symbols for inlined functions, it doesn't appear maintainanable with existing tools, and for this library the shlibs behavior seems sufficient. * Minor update to the format of the debian/copyright file. . xml-security-c (1.6.1-4) unstable; urgency=low . * Update symbols files for all non-i386 architectures currently built by the buildds except mipsel (which will hopefully be the same as mips). * Build-Depend on pkg-kde-tools and use its symbolhelper plugin so that the package can use the output of pkgkde-symbolshelper. . xml-security-c (1.6.1-3) unstable; urgency=low . * Also enable bindnow hardening build flags and use the correct syntax to add additional hardening flags. * Add symbols file constructed with pkgkde-symbolshelper. Add a README.source file with a pointer to the documentation. . xml-security-c (1.6.1-2) unstable; urgency=low . * Update to debhelper compatibility level V9. - Enable hardening build flags. (Closes: #656658) - Enable multiarch support. Checksums-Sha1: 960a84ee63c4b7ccdf098fc9de6552e9885be85b 1743 xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc 58855d31c6aabc112165e2f35116589e84b3d9f9 12203 xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 09ea23c1d08e42ca3143ae7eb81591e3fc1b712d 384304 libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb 5e90bf5b17d1dd65f972f360b3dc3d3203be160f 151282 libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Checksums-Sha256: 4bb24c43352f89c08e1aa00a5653fa071b533302d79695a2fdc6580ae6131486 1743 xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc ee43548db383216aa01a2703c63c0e247be4ede97d267de4d007747c36b7e0b5 12203 xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 7d37fd65ecc0c4f847786f1805e8b56d2e2f7756c1c577a9ae632d0755cfeda0 384304 libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb 49b5db1a76369d219e8c09885815c5647cb0281b594ff802446b1482c7ef4a76 151282 libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Files: 4dd12b52976d3b57a182ced695922a5b 1743 libs extra xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc 015223ec5a23f87d2a47a2535b46d21c 12203 libs extra xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 977abbbceff52e69802988ea4f4de7ab 384304 libs extra libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb bc244e9a8d0dfb14883cf54e45161ac0 151282 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRwKECAAoJEH2AMVxXNt51Y4MH/1BWNsGBdJbPW384Q3TH9Ywx VoUwS+uXYfmF0FMKzMjc7K/FsTLTo5Hsd5hDjpPAzd7fGdW0MVnOFGdm1sa2AHN3 /y0v3BN2VMfP2GTKOVTC9vDzX9xJKyfD88JvwCJIecVTjxc6SfhwssMIl+uC3gXi GZbvhYQLbrvM8643AucQZdVrP06d2hhVweqsT50QWSCdQM+gDuFFrpkfE4M2dAwj lEJZnjQ23VXa391BSaeSX1kbeK1ut4xZzXyDAkzMmmGW6v+rcN7IEpZjSgxHX4Gt Hg4ImjVlgatSur2qY08u+Ctve6xcCKC6euthqTTEZYd9OYqAxJBK2lymsxK29vg= =/Pls -----END PGP SIGNATURE----- Russ Allbery (2): Start backport and revert multiarch changes Relax versioned dependency on libssl-dev to build on squeeze ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Tue Jun 18 21:27:10 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:10 +0000 Subject: [SCM] Debian packaging for XMLTooling-C branch, master, updated. debian/1.5.2-1-8-gc42f826 Message-ID: The following commit has been merged in the master branch: commit de73915b66134678fc8df963cf15ffe11a190fab Author: Russ Allbery Date: Tue Jun 18 11:17:09 2013 -0700 Add changelog for upstream 1.5.3 release diff --git a/debian/changelog b/debian/changelog index 6b0ea53..4dd2c47 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ -xmltooling (1.5.2-2) UNRELEASED; urgency=low +xmltooling (1.5.3-1) UNRELEASED; urgency=low + * New upstream release. + - Update xmlsig 1.1 schema to final CR + - Check for missing private key in configuration check * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages built from the canonical Git repository and NMUs get regular version-numbered -- Debian packaging for XMLTooling-C From rra at debian.org Tue Jun 18 21:27:10 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:10 +0000 Subject: [SCM] Debian packaging for XMLTooling-C branch, master, updated. debian/1.5.2-1-8-gc42f826 Message-ID: The following commit has been merged in the master branch: commit aead01b9204a702fb4a0f884bcde4a6172f3f1ae Merge: a1f1ffc9e928839d6968a0f2ac6cdb9ec5e72748 638b89d6e74a047bc89a1f495223cdb860862e14 Author: Russ Allbery Date: Tue Jun 18 11:15:19 2013 -0700 Merge tag 'upstream/1.5.3' Upstream version 1.5.3 -- Debian packaging for XMLTooling-C From rra at debian.org Tue Jun 18 21:27:10 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:10 +0000 Subject: [SCM] Debian packaging for XMLTooling-C branch, master, updated. debian/1.5.2-1-8-gc42f826 Message-ID: The following commit has been merged in the master branch: commit b57cd731003060d61827bec11b173e555d6b3ffb Author: Russ Allbery Date: Tue Jun 18 11:19:07 2013 -0700 Update debian/copyright for the new upstream release diff --git a/debian/copyright b/debian/copyright index 0087fa1..37b58fc 100644 --- a/debian/copyright +++ b/debian/copyright @@ -146,7 +146,7 @@ Copyright: 2001 Martin Gudgin, Developmentor Rights Reserved. http://www.w3.org/Consortium/Legal/ License: W3C-Software -Files: schemas/xenc11-schema.xsd +Files: schemas/xenc11-schema.xsd schemas/xmldsig11-schema.xsd Copyright: 2011 World Wide Web Consortium (Massachusetts Institute of Technology, European Research Consortium for Informatics and Mathematics, Keio University). All Rights Reserved. -- Debian packaging for XMLTooling-C From rra at debian.org Tue Jun 18 21:27:10 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:10 +0000 Subject: [SCM] Debian packaging for XMLTooling-C branch, master, updated. debian/1.5.2-1-8-gc42f826 Message-ID: The following commit has been merged in the master branch: commit c42f82694c2d3617a6e73b1b9c1ce3beaba89105 Author: Russ Allbery Date: Tue Jun 18 14:18:22 2013 -0700 Finalize changes for 1.5.3-1 diff --git a/debian/changelog b/debian/changelog index 4dd2c47..42df586 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xmltooling (1.5.3-1) UNRELEASED; urgency=low +xmltooling (1.5.3-1) experimental; urgency=low * New upstream release. - Update xmlsig 1.1 schema to final CR @@ -11,7 +11,7 @@ xmltooling (1.5.3-1) UNRELEASED; urgency=low * Fix some minor debian/copyright inaccuracies and a missing GPL-3 pointer introduced in the previous release. - -- Russ Allbery Tue, 28 May 2013 17:22:32 -0700 + -- Russ Allbery Tue, 18 Jun 2013 14:18:20 -0700 xmltooling (1.5.2-1) experimental; urgency=low -- Debian packaging for XMLTooling-C From rra at debian.org Tue Jun 18 21:27:11 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:11 +0000 Subject: [SCM] Debian packaging for XMLTooling-C branch, pristine-tar, updated. f2715883e4c01f9cab927c8708b68783b5654b34 Message-ID: The following commit has been merged in the pristine-tar branch: commit f2715883e4c01f9cab927c8708b68783b5654b34 Author: Russ Allbery Date: Tue Jun 18 11:15:19 2013 -0700 pristine-tar data for xmltooling_1.5.3.orig.tar.gz diff --git a/xmltooling_1.5.3.orig.tar.gz.delta b/xmltooling_1.5.3.orig.tar.gz.delta new file mode 100644 index 0000000..21a3fd7 Binary files /dev/null and b/xmltooling_1.5.3.orig.tar.gz.delta differ diff --git a/xmltooling_1.5.3.orig.tar.gz.id b/xmltooling_1.5.3.orig.tar.gz.id new file mode 100644 index 0000000..efa67e9 --- /dev/null +++ b/xmltooling_1.5.3.orig.tar.gz.id @@ -0,0 +1 @@ +4f0ee195be64cb86a15b2bf5b3a7752cbf048745 -- Debian packaging for XMLTooling-C From rra at debian.org Tue Jun 18 21:27:20 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:20 +0000 Subject: [SCM] Debian packaging for XMLTooling-C annotated tag, debian/1.5.3-1, created. debian/1.5.3-1 Message-ID: The annotated tag, debian/1.5.3-1 has been created at 7c097a8ae71fe875a3840f8f659efebd3b4b4dfd (tag) tagging c42f82694c2d3617a6e73b1b9c1ce3beaba89105 (commit) replaces debian/1.5.2-1 tagged by Russ Allbery on Tue Jun 18 14:26:32 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.5.3-1 Format: 1.8 Date: Tue, 18 Jun 2013 14:18:20 -0700 Source: xmltooling Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source i386 all Version: 1.5.3-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling6 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Changes: xmltooling (1.5.3-1) experimental; urgency=low . * New upstream release. - Update xmlsig 1.1 schema to final CR - Check for missing private key in configuration check * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages built from the canonical Git repository and NMUs get regular version-numbered patches. * Switch to xz compression for *.debian.tar and the *.deb packages. * Fix some minor debian/copyright inaccuracies and a missing GPL-3 pointer introduced in the previous release. Checksums-Sha1: a8fa12d26da544e687ccaf48192ff98ce235c03e 1457 xmltooling_1.5.3-1.dsc b8498a8dafe18bf612a6651ab7af662add5c2a68 675350 xmltooling_1.5.3.orig.tar.gz 56d2a73861e6880f7812f6eea1503dec5685c3b9 9690 xmltooling_1.5.3-1.debian.tar.gz c972b658d83b3b5695390d4e9eb1e3ab2808de5d 590776 libxmltooling6_1.5.3-1_i386.deb 7867257f148c9b8db6d5e77836272216c2b2550c 71268 libxmltooling-dev_1.5.3-1_i386.deb 8ecc7847856738868d83c320dcf29756335f1cb2 15806 xmltooling-schemas_1.5.3-1_all.deb 94f11209211e0465a47bf166810b14291a09ebb4 387862 libxmltooling-doc_1.5.3-1_all.deb Checksums-Sha256: 7718d0810d2d2e8f89f5630600625df7a82cb0e9a5c86bd2a731c9d399363d82 1457 xmltooling_1.5.3-1.dsc 90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574 675350 xmltooling_1.5.3.orig.tar.gz 7e13467860144f7d22069ec2a30d2c0ec4a2ca1fdf3b38863557897537923f0f 9690 xmltooling_1.5.3-1.debian.tar.gz 1ff4b238b04c20dcbceb2179452485ebc17823a9ea981b9a93097a58a8f79aa0 590776 libxmltooling6_1.5.3-1_i386.deb a5a22192912a2a5180c0d9281ffb7ef9472b2d890dae7f7b1ddad2b78d2e5f37 71268 libxmltooling-dev_1.5.3-1_i386.deb 882ad2f954c2a9d3e48b5b3fa16abafafaa4da7e6a89695b93219fdd64b4e222 15806 xmltooling-schemas_1.5.3-1_all.deb fbaf573b47dfb4d318b058cac9b6e4998b353dd74112af239f307b5a80173727 387862 libxmltooling-doc_1.5.3-1_all.deb Files: 43842331c9cdeda2e8a5fe1a9c727af6 1457 libs extra xmltooling_1.5.3-1.dsc d6f7c148114341f73891447b7f8f1965 675350 libs extra xmltooling_1.5.3.orig.tar.gz 61c038845511ece19b6235266fa80b95 9690 libs extra xmltooling_1.5.3-1.debian.tar.gz 2ad724acf8d99b3abc8120f50883f2b2 590776 libs extra libxmltooling6_1.5.3-1_i386.deb 17413a1a3ed954f0b4ec74c1a8692da7 71268 libdevel extra libxmltooling-dev_1.5.3-1_i386.deb 5826b849f60a5dbf41a5be539cc8da20 15806 text extra xmltooling-schemas_1.5.3-1_all.deb bd01ce00ba04c86c15ed4274559f8904 387862 doc extra libxmltooling-doc_1.5.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRwNCRAAoJEH2AMVxXNt51lVwIALtwEKHIkNtM2GkFwCFmzjqZ hywG6zv06ybSfqvqKgotKyqS/Kk3md9s4wlWVY2Ym2qYWrgcFbAuJPyAqE74+yRX nH7abmzUqwl4FTmTX+c0UEAXP88ndGQu+g4Ur1Kd+5pk9l9IwUFM2LUeUAPaocH4 5lJ/h7Rpwfc/owfg8w6PpsDMwjH9RId71IR4l/bTH4q5qcLeOdUu9PyaHkpNdT8u 8RFGLDfP/fYg9dPaWBrD+tHjRiUvvPPwsVZT5cEzJzikA3tybs3fz35HL458w9yt LUEu4jgesntMDzbp4aqo34rnd5GBMnJf8q9c6Gq//Gllh7dUhLzE6tUo7VPsS4s= =E95K -----END PGP SIGNATURE----- Russ Allbery (8): Fix some minor debian/copyright issues Move single-debian-patch to local-options Switch to xz compression for *.debian.tar and the *.deb packages Imported Upstream version 1.5.3 Merge tag 'upstream/1.5.3' Add changelog for upstream 1.5.3 release Update debian/copyright for the new upstream release Finalize changes for 1.5.3-1 ----------------------------------------------------------------------- -- Debian packaging for XMLTooling-C From rra at debian.org Tue Jun 18 21:27:20 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:27:20 +0000 Subject: [SCM] Debian packaging for XMLTooling-C annotated tag, upstream/1.5.3, created. upstream/1.5.3 Message-ID: The annotated tag, upstream/1.5.3 has been created at f863f6cb7971c710e12482d3274d2dc28305f151 (tag) tagging 638b89d6e74a047bc89a1f495223cdb860862e14 (commit) replaces upstream/1.5.2 tagged by Russ Allbery on Tue Jun 18 11:15:19 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 1.5.3 Russ Allbery (1): Imported Upstream version 1.5.3 ----------------------------------------------------------------------- -- Debian packaging for XMLTooling-C From ftpmaster at ftp-master.debian.org Tue Jun 18 21:31:22 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 21:31:22 +0000 Subject: Processing of xmltooling_1.5.3-1_i386.changes Message-ID: xmltooling_1.5.3-1_i386.changes uploaded successfully to localhost along with the files: xmltooling_1.5.3-1.dsc xmltooling_1.5.3.orig.tar.gz xmltooling_1.5.3-1.debian.tar.gz libxmltooling6_1.5.3-1_i386.deb libxmltooling-dev_1.5.3-1_i386.deb xmltooling-schemas_1.5.3-1_all.deb libxmltooling-doc_1.5.3-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 21:36:20 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 21:36:20 +0000 Subject: xmltooling_1.5.3-1_i386.changes ACCEPTED into experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Jun 2013 14:18:20 -0700 Source: xmltooling Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source i386 all Version: 1.5.3-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling6 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Changes: xmltooling (1.5.3-1) experimental; urgency=low . * New upstream release. - Update xmlsig 1.1 schema to final CR - Check for missing private key in configuration check * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages built from the canonical Git repository and NMUs get regular version-numbered patches. * Switch to xz compression for *.debian.tar and the *.deb packages. * Fix some minor debian/copyright inaccuracies and a missing GPL-3 pointer introduced in the previous release. Checksums-Sha1: 97c6eb6bfeed7391b70af8668c45e323d5ba29d3 1997 xmltooling_1.5.3-1.dsc b8498a8dafe18bf612a6651ab7af662add5c2a68 675350 xmltooling_1.5.3.orig.tar.gz 56d2a73861e6880f7812f6eea1503dec5685c3b9 9690 xmltooling_1.5.3-1.debian.tar.gz c972b658d83b3b5695390d4e9eb1e3ab2808de5d 590776 libxmltooling6_1.5.3-1_i386.deb 7867257f148c9b8db6d5e77836272216c2b2550c 71268 libxmltooling-dev_1.5.3-1_i386.deb 8ecc7847856738868d83c320dcf29756335f1cb2 15806 xmltooling-schemas_1.5.3-1_all.deb 94f11209211e0465a47bf166810b14291a09ebb4 387862 libxmltooling-doc_1.5.3-1_all.deb Checksums-Sha256: 18bcaffb355564d82b755a8008e75c64637e77af94d85227e65702a7832d3c75 1997 xmltooling_1.5.3-1.dsc 90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574 675350 xmltooling_1.5.3.orig.tar.gz 7e13467860144f7d22069ec2a30d2c0ec4a2ca1fdf3b38863557897537923f0f 9690 xmltooling_1.5.3-1.debian.tar.gz 1ff4b238b04c20dcbceb2179452485ebc17823a9ea981b9a93097a58a8f79aa0 590776 libxmltooling6_1.5.3-1_i386.deb a5a22192912a2a5180c0d9281ffb7ef9472b2d890dae7f7b1ddad2b78d2e5f37 71268 libxmltooling-dev_1.5.3-1_i386.deb 882ad2f954c2a9d3e48b5b3fa16abafafaa4da7e6a89695b93219fdd64b4e222 15806 xmltooling-schemas_1.5.3-1_all.deb fbaf573b47dfb4d318b058cac9b6e4998b353dd74112af239f307b5a80173727 387862 libxmltooling-doc_1.5.3-1_all.deb Files: 3414a616eea54c35bf9e7232ea272cfe 1997 libs extra xmltooling_1.5.3-1.dsc d6f7c148114341f73891447b7f8f1965 675350 libs extra xmltooling_1.5.3.orig.tar.gz 61c038845511ece19b6235266fa80b95 9690 libs extra xmltooling_1.5.3-1.debian.tar.gz 2ad724acf8d99b3abc8120f50883f2b2 590776 libs extra libxmltooling6_1.5.3-1_i386.deb 17413a1a3ed954f0b4ec74c1a8692da7 71268 libdevel extra libxmltooling-dev_1.5.3-1_i386.deb 5826b849f60a5dbf41a5be539cc8da20 15806 text extra xmltooling-schemas_1.5.3-1_all.deb bd01ce00ba04c86c15ed4274559f8904 387862 doc extra libxmltooling-doc_1.5.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRwNCgAAoJEH2AMVxXNt51Ne8IAKxchXZnBntwZYY74FXuwhhD T1oNIUtDugkvmiIvsXoZ8FVaXRNEivIynt4vbDySiT1uODVV63Ij2ADC6cynqice x07W6r9fipLI7xnAz/S+ch6/W4/aWWRrhOD4N74hhYoo0BrG0rXuvrvEjfQJ1xsM gBV5qK97CnM6LdCgniwd2nI7I2vkRnvTIH0fNGipHG+4O3+7aAY+7N+3hj7rj2P4 xD4ABHlsXeeP/XdHzHyhQu+OH2uwg6bzT53cpK7VWcel259lZ9enWMtv7SpxWBVg tbY1SF7eh6+fJKc6W6cD0QwoOo8klRnn6U3VpXr1de7DOgUzAJfI4wUQLAg/tMg= =C5t+ -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From rra at debian.org Tue Jun 18 21:57:14 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:57:14 +0000 Subject: [SCM] Debian packaging for OpenSAML 2.0 branch, pristine-tar, updated. c9209d80d9821fc433dc816aa2c3a46654996e99 Message-ID: The following commit has been merged in the pristine-tar branch: commit c9209d80d9821fc433dc816aa2c3a46654996e99 Author: Russ Allbery Date: Tue Jun 18 14:28:16 2013 -0700 pristine-tar data for opensaml2_2.5.3.orig.tar.gz diff --git a/opensaml2_2.5.3.orig.tar.gz.delta b/opensaml2_2.5.3.orig.tar.gz.delta new file mode 100644 index 0000000..ce6ac52 Binary files /dev/null and b/opensaml2_2.5.3.orig.tar.gz.delta differ diff --git a/opensaml2_2.5.3.orig.tar.gz.id b/opensaml2_2.5.3.orig.tar.gz.id new file mode 100644 index 0000000..4a16256 --- /dev/null +++ b/opensaml2_2.5.3.orig.tar.gz.id @@ -0,0 +1 @@ +7c0a99528ca789a78cd0268198c0f0c15433341b -- Debian packaging for OpenSAML 2.0 From rra at debian.org Tue Jun 18 21:57:14 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:57:14 +0000 Subject: [SCM] Debian packaging for OpenSAML 2.0 branch, master, updated. debian/2.5.2-1-4-ga63415b Message-ID: The following commit has been merged in the master branch: commit e1564b5c9e9ffd52dd2f32f82a09c349728f569d Author: Russ Allbery Date: Tue Jun 18 14:29:06 2013 -0700 Add changelog for upstream 2.5.3 release diff --git a/debian/changelog b/debian/changelog index d081189..3fa4f00 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +opensaml2 (2.5.3-1) UNRELEASED; urgency=low + + * New upstream release. + - Fix samlsign with -dig option. + + -- Russ Allbery Tue, 18 Jun 2013 14:29:02 -0700 + opensaml2 (2.5.2-1) experimental; urgency=low * New upstream release. -- Debian packaging for OpenSAML 2.0 From rra at debian.org Tue Jun 18 21:57:14 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:57:14 +0000 Subject: [SCM] Debian packaging for OpenSAML 2.0 branch, master, updated. debian/2.5.2-1-4-ga63415b Message-ID: The following commit has been merged in the master branch: commit a63415b34f62cea4e2503007d0e44a2247934274 Author: Russ Allbery Date: Tue Jun 18 14:40:20 2013 -0700 Finalize changes for 2.5.3-1 diff --git a/debian/changelog b/debian/changelog index 3fa4f00..12b017d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,9 @@ -opensaml2 (2.5.3-1) UNRELEASED; urgency=low +opensaml2 (2.5.3-1) experimental; urgency=low * New upstream release. - Fix samlsign with -dig option. - -- Russ Allbery Tue, 18 Jun 2013 14:29:02 -0700 + -- Russ Allbery Tue, 18 Jun 2013 14:40:01 -0700 opensaml2 (2.5.2-1) experimental; urgency=low -- Debian packaging for OpenSAML 2.0 From rra at debian.org Tue Jun 18 21:57:13 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:57:13 +0000 Subject: [SCM] Debian packaging for OpenSAML 2.0 branch, master, updated. debian/2.5.2-1-4-ga63415b Message-ID: The following commit has been merged in the master branch: commit f6f6342b344f653e83230c252124fc70fcb98f23 Merge: 321b1d1c90843753d9c6790c694aa2a91dadaeef cf6565f248ff2c1228dc95727bd9e548a2450bcb Author: Russ Allbery Date: Tue Jun 18 14:28:16 2013 -0700 Merge tag 'upstream/2.5.3' Upstream version 2.5.3 -- Debian packaging for OpenSAML 2.0 From rra at debian.org Tue Jun 18 21:57:22 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:57:22 +0000 Subject: [SCM] Debian packaging for OpenSAML 2.0 annotated tag, upstream/2.5.3, created. upstream/2.5.3 Message-ID: The annotated tag, upstream/2.5.3 has been created at ef9036b07b6086b402905d56723cc483111b8aca (tag) tagging cf6565f248ff2c1228dc95727bd9e548a2450bcb (commit) replaces upstream/2.5.2 tagged by Russ Allbery on Tue Jun 18 14:28:16 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 2.5.3 Russ Allbery (1): Imported Upstream version 2.5.3 ----------------------------------------------------------------------- -- Debian packaging for OpenSAML 2.0 From rra at debian.org Tue Jun 18 21:57:21 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 21:57:21 +0000 Subject: [SCM] Debian packaging for OpenSAML 2.0 annotated tag, debian/2.5.3-1, created. debian/2.5.3-1 Message-ID: The annotated tag, debian/2.5.3-1 has been created at 8ea8bd40069af679b7dc743d8a53b268610fe3d9 (tag) tagging a63415b34f62cea4e2503007d0e44a2247934274 (commit) replaces debian/2.5.2-1 tagged by Russ Allbery on Tue Jun 18 14:55:51 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 2.5.3-1 Format: 1.8 Date: Tue, 18 Jun 2013 14:40:01 -0700 Source: opensaml2 Binary: libsaml8 libsaml2-dev opensaml2-tools opensaml2-schemas libsaml2-doc Architecture: source i386 all Version: 2.5.3-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libsaml2-dev - Security Assertion Markup Language library (development) libsaml2-doc - Security Assertion Markup Language library (API docs) libsaml8 - Security Assertion Markup Language library (runtime) opensaml2-schemas - Security Assertion Markup Language library (XML schemas) opensaml2-tools - Security Assertion Markup Language command-line tools Changes: opensaml2 (2.5.3-1) experimental; urgency=low . * New upstream release. - Fix samlsign with -dig option. Checksums-Sha1: af80c10374e94bbfc7576a13e396270faab5d6cf 1452 opensaml2_2.5.3-1.dsc 412d0807821f7ee5d419e59fd9fd85613d64da7b 703021 opensaml2_2.5.3.orig.tar.gz f9f209a50cb0cfb72ccd40d6006f94f6d9f4a27e 9416 opensaml2_2.5.3-1.debian.tar.xz 59e592e877d01346f4a854ad651cf734e6b9a29f 874216 libsaml8_2.5.3-1_i386.deb 91761862e6e2cb8bdc63705aee63936cc98a62c5 43314 libsaml2-dev_2.5.3-1_i386.deb bf0e3bc95e32c850fa612943aa4450120623db28 24876 opensaml2-tools_2.5.3-1_i386.deb 96f4c2ebcfaa9e8a80bfbe81c62f7bd43e5fbf68 25684 opensaml2-schemas_2.5.3-1_all.deb 713373efd92b5942a803fdf8493bf68537da7c9f 291792 libsaml2-doc_2.5.3-1_all.deb Checksums-Sha256: fed29af39dc6e08e6630a00805fb282b72f2c2097ac6a1494a330c4546137ce8 1452 opensaml2_2.5.3-1.dsc 1ed6a241b2021def6a1af57d3087b697c98b38842e9195e1f3fae194d55c13fb 703021 opensaml2_2.5.3.orig.tar.gz fb8b5c009b138800c3e4a7afd8fa0c5659350cd70bcd52667565470f5ba86390 9416 opensaml2_2.5.3-1.debian.tar.xz ab774d611393e4381388b1e4dcc7a9abd680c83dde0aa5118042f030b9804252 874216 libsaml8_2.5.3-1_i386.deb 0d5b23781e7b9c104d8aad2a141b6f470f7deded1a42aa0913b3bb9da2041370 43314 libsaml2-dev_2.5.3-1_i386.deb 1af8626f05e34e94ad8829fb362731f8141be3a4053aa8e906f6688cfda8a489 24876 opensaml2-tools_2.5.3-1_i386.deb 736ac759fafd5e9131633c3de12488b317e694edea4c6d96cf27b224f1109d52 25684 opensaml2-schemas_2.5.3-1_all.deb d280e70419fc8ac1fcb18d699d3055c92ae22cf83b8995d09a094d4b16618675 291792 libsaml2-doc_2.5.3-1_all.deb Files: 7b91f80150bd335bd0f528d82c1a149e 1452 libs extra opensaml2_2.5.3-1.dsc d3f02d0840759b98e22297b677ab0a72 703021 libs extra opensaml2_2.5.3.orig.tar.gz 3fdcc3cbe5a185563e383c70a1ee96ef 9416 libs extra opensaml2_2.5.3-1.debian.tar.xz 5e1ee0a925b511ddb95f09616d98ba81 874216 libs extra libsaml8_2.5.3-1_i386.deb dc7f25a3ca2bbc5e217e1bbe6bad5e91 43314 libdevel extra libsaml2-dev_2.5.3-1_i386.deb 4b05afcd4d9cf269d739b6094a586bc6 24876 text extra opensaml2-tools_2.5.3-1_i386.deb 654118a884ed8308d47e54ac09c930df 25684 text extra opensaml2-schemas_2.5.3-1_all.deb 49656f9c2b613d40c1d2469031276130 291792 doc extra libsaml2-doc_2.5.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRwNdxAAoJEH2AMVxXNt51mFoIALNOM42yIV9uBRQK3HYCqmMf SAhX9JQYPnJ6+PvEhSHKm/RZtbaJjKfly9ogFoOP2RbZRQM/sx9aY6Nn4VBhrIiT BdW1MYGT6tWHlSttH5QKFJkqBfjr+OntZ25etVlQ+0WpUmlCbqDU7SEDxL3VDguP k+3WtyQbt5U9nPc2oBflf52xmf1LShlLs9Ic7quh/60CjMHHsJRMb3W0myYAlV39 WEooz5ADg4ADFDugOAjCmV1WB/ewthjb58PSUBFmP4pCzJIHmByOh5EJAzpgiB1w HaumlLPkYsb0sT51Xo5cNiQGdMJrp7CJRMNivySm+iddxyWM7lEWmKADOo0PKpw= =qxTk -----END PGP SIGNATURE----- Russ Allbery (4): Imported Upstream version 2.5.3 Merge tag 'upstream/2.5.3' Add changelog for upstream 2.5.3 release Finalize changes for 2.5.3-1 ----------------------------------------------------------------------- -- Debian packaging for OpenSAML 2.0 From ftpmaster at ftp-master.debian.org Tue Jun 18 22:01:31 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 22:01:31 +0000 Subject: Processing of opensaml2_2.5.3-1_i386.changes Message-ID: opensaml2_2.5.3-1_i386.changes uploaded successfully to localhost along with the files: opensaml2_2.5.3-1.dsc opensaml2_2.5.3.orig.tar.gz opensaml2_2.5.3-1.debian.tar.xz libsaml8_2.5.3-1_i386.deb libsaml2-dev_2.5.3-1_i386.deb opensaml2-tools_2.5.3-1_i386.deb opensaml2-schemas_2.5.3-1_all.deb libsaml2-doc_2.5.3-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 18 22:04:17 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 22:04:17 +0000 Subject: opensaml2_2.5.3-1_i386.changes ACCEPTED into experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Jun 2013 14:40:01 -0700 Source: opensaml2 Binary: libsaml8 libsaml2-dev opensaml2-tools opensaml2-schemas libsaml2-doc Architecture: source i386 all Version: 2.5.3-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libsaml2-dev - Security Assertion Markup Language library (development) libsaml2-doc - Security Assertion Markup Language library (API docs) libsaml8 - Security Assertion Markup Language library (runtime) opensaml2-schemas - Security Assertion Markup Language library (XML schemas) opensaml2-tools - Security Assertion Markup Language command-line tools Changes: opensaml2 (2.5.3-1) experimental; urgency=low . * New upstream release. - Fix samlsign with -dig option. Checksums-Sha1: 3d2b8aae8dbae5906bd29b1d4a0beb0e308a0c3f 1992 opensaml2_2.5.3-1.dsc 412d0807821f7ee5d419e59fd9fd85613d64da7b 703021 opensaml2_2.5.3.orig.tar.gz f9f209a50cb0cfb72ccd40d6006f94f6d9f4a27e 9416 opensaml2_2.5.3-1.debian.tar.xz 59e592e877d01346f4a854ad651cf734e6b9a29f 874216 libsaml8_2.5.3-1_i386.deb 91761862e6e2cb8bdc63705aee63936cc98a62c5 43314 libsaml2-dev_2.5.3-1_i386.deb bf0e3bc95e32c850fa612943aa4450120623db28 24876 opensaml2-tools_2.5.3-1_i386.deb 96f4c2ebcfaa9e8a80bfbe81c62f7bd43e5fbf68 25684 opensaml2-schemas_2.5.3-1_all.deb 713373efd92b5942a803fdf8493bf68537da7c9f 291792 libsaml2-doc_2.5.3-1_all.deb Checksums-Sha256: 964a4e030e6adf67980c17bcec6904e4efb390a9e77bb7abbeb6956df4ab7a6a 1992 opensaml2_2.5.3-1.dsc 1ed6a241b2021def6a1af57d3087b697c98b38842e9195e1f3fae194d55c13fb 703021 opensaml2_2.5.3.orig.tar.gz fb8b5c009b138800c3e4a7afd8fa0c5659350cd70bcd52667565470f5ba86390 9416 opensaml2_2.5.3-1.debian.tar.xz ab774d611393e4381388b1e4dcc7a9abd680c83dde0aa5118042f030b9804252 874216 libsaml8_2.5.3-1_i386.deb 0d5b23781e7b9c104d8aad2a141b6f470f7deded1a42aa0913b3bb9da2041370 43314 libsaml2-dev_2.5.3-1_i386.deb 1af8626f05e34e94ad8829fb362731f8141be3a4053aa8e906f6688cfda8a489 24876 opensaml2-tools_2.5.3-1_i386.deb 736ac759fafd5e9131633c3de12488b317e694edea4c6d96cf27b224f1109d52 25684 opensaml2-schemas_2.5.3-1_all.deb d280e70419fc8ac1fcb18d699d3055c92ae22cf83b8995d09a094d4b16618675 291792 libsaml2-doc_2.5.3-1_all.deb Files: 5a9a25eafa351d1be8816ea1d210f380 1992 libs extra opensaml2_2.5.3-1.dsc d3f02d0840759b98e22297b677ab0a72 703021 libs extra opensaml2_2.5.3.orig.tar.gz 3fdcc3cbe5a185563e383c70a1ee96ef 9416 libs extra opensaml2_2.5.3-1.debian.tar.xz 5e1ee0a925b511ddb95f09616d98ba81 874216 libs extra libsaml8_2.5.3-1_i386.deb dc7f25a3ca2bbc5e217e1bbe6bad5e91 43314 libdevel extra libsaml2-dev_2.5.3-1_i386.deb 4b05afcd4d9cf269d739b6094a586bc6 24876 text extra opensaml2-tools_2.5.3-1_i386.deb 654118a884ed8308d47e54ac09c930df 25684 text extra opensaml2-schemas_2.5.3-1_all.deb 49656f9c2b613d40c1d2469031276130 291792 doc extra libsaml2-doc_2.5.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRwNehAAoJEH2AMVxXNt511w8H/1cQjNmF9FLwjURoP+J0+AxL I7mFJZUoFLs4rtxiqNkYQgnB7wSu8mPy8s9qERQHEwOMu3YpiJDwS74YplivW6+9 FXsqU4jtmYI9PJI2t3sibuVutdz3V7LN3VnVOY9qhvBEsR93O4tn7NwcuhFfxFf8 rOYNnAogZdpcSwl9fXg00zhaMleHoFrr5Yf2PUIPrrVagggg7FrT/HGd4hNftsNo hTkDhqZ/O/v446ysZeVYVXui4k8wCaETCZwtlVCVo/zoXMOHa6RrryLZ41/gWiqY +3ctRIXr1RsnbJW5K3rD6b5OrKdGAXqpo1NoMCPblLY9lQK6Jas6TnASgTTjuZ8= =Tojd -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Tue Jun 18 23:57:00 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 18 Jun 2013 23:57:00 +0000 Subject: Processing of shibboleth-sp2_2.5.2+dfsg-1_i386.changes Message-ID: shibboleth-sp2_2.5.2+dfsg-1_i386.changes uploaded successfully to localhost along with the files: shibboleth-sp2_2.5.2+dfsg-1.dsc shibboleth-sp2_2.5.2+dfsg.orig.tar.xz shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb libshibsp6_2.5.2+dfsg-1_i386.deb libshibsp-dev_2.5.2+dfsg-1_i386.deb libshibsp-doc_2.5.2+dfsg-1_all.deb shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From rra at debian.org Tue Jun 18 23:57:02 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:02 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.5.1+dfsg-1-7-gbb96e1f Message-ID: The following commit has been merged in the master branch: commit b456d9464c16cbc905e016595cfe3939902c853d Author: Russ Allbery Date: Tue Jun 18 15:27:15 2013 -0700 Link FastCGI programs directly with libxmltooling-lite * Link the FastCGI programs with libxmltooling-lite since they call one of its interfaces directly. (This shows up as a build failure otherwise due to the Debian build rules use of --as-needed.) diff --git a/debian/changelog b/debian/changelog index 0e8cecc..33feadf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -22,6 +22,9 @@ shibboleth-sp2 (2.5.2+dfsg-1) UNRELEASED; urgency=low that have to be available to everyone and to use Require shib-session instead of Require valid-user. * Create /var/cache/shibboleth on install and remove it on purge. + * Link the FastCGI programs with libxmltooling-lite since they call one + of its interfaces directly. (This shows up as a build failure + otherwise due to the Debian build rules use of --as-needed.) -- Russ Allbery Tue, 18 Jun 2013 11:13:01 -0700 diff --git a/fastcgi/Makefile.am b/fastcgi/Makefile.am index 7c7baa3..667c6dc 100644 --- a/fastcgi/Makefile.am +++ b/fastcgi/Makefile.am @@ -10,13 +10,15 @@ shibauthorizer_SOURCES = shibauthorizer.cpp shibauthorizer_CXXFLAGS = $(FASTCGI_INCLUDE) shibauthorizer_LDFLAGS = $(FASTCGI_LDFLAGS) shibauthorizer_LDADD = $(FASTCGI_LIBS) \ - $(top_builddir)/shibsp/libshibsp-lite.la + $(top_builddir)/shibsp/libshibsp-lite.la \ + $(LITE_LIBS) shibresponder_SOURCES = shibresponder.cpp shibresponder_CXXFLAGS = $(FASTCGI_INCLUDE) shibresponder_LDFLAGS = $(FASTCGI_LDFLAGS) shibresponder_LDADD = $(FASTCGI_LIBS) \ - $(top_builddir)/shibsp/libshibsp-lite.la + $(top_builddir)/shibsp/libshibsp-lite.la \ + $(LITE_LIBS) endif -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:02 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:02 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.5.1+dfsg-1-7-gbb96e1f Message-ID: The following commit has been merged in the master branch: commit 5c6141bff267a43d327e31fc40298aabb774ca53 Author: Russ Allbery Date: Tue Jun 18 15:08:18 2013 -0700 Add changelog, NEWS, and doc updates for 2.5.2 release Add upstream changes for 2.5.2. Add NEWS entry for the authentication directive changes. Update README.Debian instructions to add AuthType None to the URLs that have to be available to everyone and to use Require shib-session instead of Require valid-user. diff --git a/debian/changelog b/debian/changelog index d2d2c06..cac8c50 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,26 @@ shibboleth-sp2 (2.5.2+dfsg-1) UNRELEASED; urgency=low * New upstream release. + - New shib-session and shib-user Require authentication types added, + which should be used in preference to Require valid-user or Require + user with Shibboleth authentication is desired. + - New ShibCompatValidUser Apache directive, which works around the way + that Shibboleth hooks into Require valid-user and Require user so + that those directives will continue to work with non-Shibboleth + authentication types. This directive will be needed for servers + that use Shibboleth and other authentication methods and want to use + Require valid-user or Require user with non-Shibboleth methods. + - Fix implementation of shib-metagen -l. + - Fix AttributeExtractor handling of multiple logos. + - Fix metadata attribute extraction with non-ASCII characters. + - Fix problems with Apache subrequests during server-side include + handling of unprotected pages. + - Add character set to DiscoFeed page header. + - Avoid leaking shibd sockets to child processes. + * Add NEWS entry for the authentication directive changes. + * Update README.Debian instructions to add AuthType None to the URLs + that have to be available to everyone and to use Require shib-session + instead of Require valid-user. -- Russ Allbery Tue, 18 Jun 2013 11:13:01 -0700 diff --git a/debian/libapache2-mod-shib2.NEWS b/debian/libapache2-mod-shib2.NEWS index 1ff4483..cea6b95 100644 --- a/debian/libapache2-mod-shib2.NEWS +++ b/debian/libapache2-mod-shib2.NEWS @@ -1,3 +1,22 @@ +shibboleth-sp2 (2.5.2+dfsg-1) experimental; urgency=low + + Shibboleth has added new Require shib-session and Require shib-user + directives, which will replace use of Require valid-user and Require + user with Shibboleth authentication. If you are currently using + valid-user or user restrictions with Shibboleth, consider switching to + shib-session and shib-user, respectively. + + If you are using both Shibboleth and another authentication method, such + as basic auth, on the same Apache server and want to use Require + valid-user or Require user with the non-Shibboleth authentication + method, you will need to add: + + ShibCompatValidUser On + + to your server or virtual host configuration. + + -- Russ Allbery Tue, 18 Jun 2013 14:47:40 -0700 + shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high As of this release, running shibd as a non-root user is supported and diff --git a/debian/libapache2-mod-shib2.README.Debian b/debian/libapache2-mod-shib2.README.Debian index 6ac5d32..982a736 100644 --- a/debian/libapache2-mod-shib2.README.Debian +++ b/debian/libapache2-mod-shib2.README.Debian @@ -33,6 +33,7 @@ Installation and Configuration Shibboleth client to the /Shibboleth.sso URL. For example: + AuthType None Require all granted @@ -46,6 +47,7 @@ Installation and Configuration /shibboleth-sp), add this to your Apache configuration: + AuthType None Require all granted Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css @@ -64,7 +66,7 @@ Installation and Configuration AuthType shibboleth ShibRequestSetting requireSession 1 - require valid-user + Require shib-session for some , , or block. You can also put @@ -152,4 +154,4 @@ Further Information https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration - -- Russ Allbery , Fri, 31 May 2013 15:52:13 -0700 + -- Russ Allbery , Tue, 18 Jun 2013 14:50:43 -0700 -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:01 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:01 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.5.1+dfsg-1-7-gbb96e1f Message-ID: The following commit has been merged in the master branch: commit 9d216506814fd3ba72dae8b1b89566403204d6a9 Merge: 310b98352a734081264c57ceb45348c9ec1e0f49 1554c253a6aae5af7a4a13aae06f858f4c01b32f Author: Russ Allbery Date: Tue Jun 18 11:13:46 2013 -0700 Merge tag 'upstream/2.5.2+dfsg' Upstream version 2.5.2+dfsg -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:01 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:01 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.5.1+dfsg-1-7-gbb96e1f Message-ID: The following commit has been merged in the master branch: commit 310b98352a734081264c57ceb45348c9ec1e0f49 Author: Russ Allbery Date: Tue Jun 18 11:13:06 2013 -0700 Add stub changelog entry for the 2.5.2 release diff --git a/debian/changelog b/debian/changelog index dec8dd7..d2d2c06 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shibboleth-sp2 (2.5.2+dfsg-1) UNRELEASED; urgency=low + + * New upstream release. + + -- Russ Allbery Tue, 18 Jun 2013 11:13:01 -0700 + shibboleth-sp2 (2.5.1+dfsg-1) experimental; urgency=low * New upstream release. (Closes: #685069) -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:02 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:02 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.5.1+dfsg-1-7-gbb96e1f Message-ID: The following commit has been merged in the master branch: commit fbc93a0691685e35fcfa5abb8851baae7abbe180 Author: Russ Allbery Date: Tue Jun 18 15:18:30 2013 -0700 Create /var/cache/shibboleth on install and remove it on purge diff --git a/debian/changelog b/debian/changelog index cac8c50..0e8cecc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -21,6 +21,7 @@ shibboleth-sp2 (2.5.2+dfsg-1) UNRELEASED; urgency=low * Update README.Debian instructions to add AuthType None to the URLs that have to be available to everyone and to use Require shib-session instead of Require valid-user. + * Create /var/cache/shibboleth on install and remove it on purge. -- Russ Allbery Tue, 18 Jun 2013 11:13:01 -0700 diff --git a/debian/libapache2-mod-shib2.postinst b/debian/libapache2-mod-shib2.postinst index 1e14f74..a947f6b 100755 --- a/debian/libapache2-mod-shib2.postinst +++ b/debian/libapache2-mod-shib2.postinst @@ -11,6 +11,12 @@ if [ "$1" = "configure" ] ; then fi fi +# Create the cache directory owned by the shibd user. +if [ ! -d /var/cache/shibboleth ] ; then + mkdir /var/cache/shibboleth + chown _shibd:_shibd /var/cache/shibboleth +fi + #DEBHELPER# exit 0 diff --git a/debian/libapache2-mod-shib2.postrm b/debian/libapache2-mod-shib2.postrm index 976e04f..e5ca865 100755 --- a/debian/libapache2-mod-shib2.postrm +++ b/debian/libapache2-mod-shib2.postrm @@ -3,7 +3,7 @@ set -e if [ "$1" = purge ] || [ "$1" = remove ] ; then - rm -rf /var/run/shibboleth + rm -rf /var/cache/shibboleth /var/run/shibboleth fi #DEBHELPER# -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:02 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:02 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.5.1+dfsg-1-7-gbb96e1f Message-ID: The following commit has been merged in the master branch: commit bb96e1fbe615b89bfd8fb6e33b46cef6af8764d5 Author: Russ Allbery Date: Tue Jun 18 16:42:55 2013 -0700 Finalize changes for 2.5.2+dfsg-1 diff --git a/debian/changelog b/debian/changelog index 33feadf..b849465 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shibboleth-sp2 (2.5.2+dfsg-1) UNRELEASED; urgency=low +shibboleth-sp2 (2.5.2+dfsg-1) experimental; urgency=low * New upstream release. - New shib-session and shib-user Require authentication types added, @@ -26,7 +26,7 @@ shibboleth-sp2 (2.5.2+dfsg-1) UNRELEASED; urgency=low of its interfaces directly. (This shows up as a build failure otherwise due to the Debian build rules use of --as-needed.) - -- Russ Allbery Tue, 18 Jun 2013 11:13:01 -0700 + -- Russ Allbery Tue, 18 Jun 2013 16:42:34 -0700 shibboleth-sp2 (2.5.1+dfsg-1) experimental; urgency=low -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:03 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:03 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, pristine-tar, updated. f4098769c760570705e5323aefdb5bca7119724c Message-ID: The following commit has been merged in the pristine-tar branch: commit f4098769c760570705e5323aefdb5bca7119724c Author: Russ Allbery Date: Tue Jun 18 11:13:45 2013 -0700 pristine-tar data for shibboleth-sp2_2.5.2+dfsg.orig.tar.xz diff --git a/shibboleth-sp2_2.5.2+dfsg.orig.tar.xz.delta b/shibboleth-sp2_2.5.2+dfsg.orig.tar.xz.delta new file mode 100644 index 0000000..8cf07f2 Binary files /dev/null and b/shibboleth-sp2_2.5.2+dfsg.orig.tar.xz.delta differ diff --git a/shibboleth-sp2_2.5.2+dfsg.orig.tar.xz.id b/shibboleth-sp2_2.5.2+dfsg.orig.tar.xz.id new file mode 100644 index 0000000..f176f79 --- /dev/null +++ b/shibboleth-sp2_2.5.2+dfsg.orig.tar.xz.id @@ -0,0 +1 @@ +d2bec226a0f2a7cc0693bd5f8cb58ef0ec3e8b50 -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:07 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:07 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP annotated tag, debian/2.5.2+dfsg-1, created. debian/2.5.2+dfsg-1 Message-ID: The annotated tag, debian/2.5.2+dfsg-1 has been created at 0835a6cdadc5a4f826849677c606ae94800d4251 (tag) tagging bb96e1fbe615b89bfd8fb6e33b46cef6af8764d5 (commit) replaces debian/2.5.1+dfsg-1 tagged by Russ Allbery on Tue Jun 18 16:55:54 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 2.5.2+dfsg-1 Format: 1.8 Date: Tue, 18 Jun 2013 16:42:34 -0700 Source: shibboleth-sp2 Binary: libapache2-mod-shib2 libshibsp6 libshibsp-dev libshibsp-doc shibboleth-sp2-schemas Architecture: source i386 all Version: 2.5.2+dfsg-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libapache2-mod-shib2 - Federated web single sign-on system (Apache module) libshibsp-dev - Federated web single sign-on system (development) libshibsp-doc - Federated web single sign-on system (API docs) libshibsp6 - Federated web single sign-on system (runtime) shibboleth-sp2-schemas - Federated web single sign-on system (schemas) Changes: shibboleth-sp2 (2.5.2+dfsg-1) experimental; urgency=low . * New upstream release. - New shib-session and shib-user Require authentication types added, which should be used in preference to Require valid-user or Require user with Shibboleth authentication is desired. - New ShibCompatValidUser Apache directive, which works around the way that Shibboleth hooks into Require valid-user and Require user so that those directives will continue to work with non-Shibboleth authentication types. This directive will be needed for servers that use Shibboleth and other authentication methods and want to use Require valid-user or Require user with non-Shibboleth methods. - Fix implementation of shib-metagen -l. - Fix AttributeExtractor handling of multiple logos. - Fix metadata attribute extraction with non-ASCII characters. - Fix problems with Apache subrequests during server-side include handling of unprotected pages. - Add character set to DiscoFeed page header. - Avoid leaking shibd sockets to child processes. * Add NEWS entry for the authentication directive changes. * Update README.Debian instructions to add AuthType None to the URLs that have to be available to everyone and to use Require shib-session instead of Require valid-user. * Create /var/cache/shibboleth on install and remove it on purge. * Link the FastCGI programs with libxmltooling-lite since they call one of its interfaces directly. (This shows up as a build failure otherwise due to the Debian build rules use of --as-needed.) Checksums-Sha1: d2e2cbdf371a758ac438fbdf01f2c0d669c578da 1731 shibboleth-sp2_2.5.2+dfsg-1.dsc cf2eeec82133559f48cb56244f11f0be5a157332 567568 shibboleth-sp2_2.5.2+dfsg.orig.tar.xz 9fa1de31c0b92bde95795e7ec3825a1ac74bfcfc 23560 shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz ad175864029f91a011bb11936c39d28d00263cd4 262532 libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb a293fd19499dfafcfc3945e434d19a3da833fb4d 813672 libshibsp6_2.5.2+dfsg-1_i386.deb a6de32134bb48ebb75cd4e58f409d76b7344b417 50766 libshibsp-dev_2.5.2+dfsg-1_i386.deb 858ec99d3ffe3a4d0b425d23e9a58b01c9e33b92 258742 libshibsp-doc_2.5.2+dfsg-1_all.deb 417c2444436c96670d56c8013d11a9c830f588f5 26092 shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb Checksums-Sha256: bea564defab053ca40d6b8b51871060f367e25f76be15c171a0eded067ead7a9 1731 shibboleth-sp2_2.5.2+dfsg-1.dsc a6052082a34e825cf3e8952bb84098b6f9df05316dc571fe232aba920c74493e 567568 shibboleth-sp2_2.5.2+dfsg.orig.tar.xz fa82f1ae76f3e00bd276b9b5fdc0c84c919f09e53fe0334366073016d86d798a 23560 shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz 40679886ce5b948aa12b8bbdc860a0fb0238d48cc0af0170a5b62c5ebc811fdb 262532 libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb 01324334ed255a97f737b93d7a53875519b82d58e27cee363823c34165d72e1f 813672 libshibsp6_2.5.2+dfsg-1_i386.deb 723dd7f738b02b078ca60787ba074fd3bc26f40322f3e02d9c02d5a3435d4221 50766 libshibsp-dev_2.5.2+dfsg-1_i386.deb d7ce377314ae0349fb2797124be6dfb0974c603168da0e8db61c9f2990b99487 258742 libshibsp-doc_2.5.2+dfsg-1_all.deb 07d798e1bcc2009c2decce5953df836cef24aa704a515133e83d418cffa2520f 26092 shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb Files: 129e4a690d2cd249c0bc6edb83054921 1731 web extra shibboleth-sp2_2.5.2+dfsg-1.dsc 98edbfbb63ef36bc732c79ebb4a65313 567568 web extra shibboleth-sp2_2.5.2+dfsg.orig.tar.xz 6ced5a344bcc712c6059ae4ec77a74e3 23560 web extra shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz 43f709789c1be83bad8224c0b6052364 262532 httpd extra libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb a15f76a4a077593be5ec61ab50252a34 813672 libs extra libshibsp6_2.5.2+dfsg-1_i386.deb 16d4045ee985e5779ed8269513af4a5e 50766 libdevel extra libshibsp-dev_2.5.2+dfsg-1_i386.deb fa5eee965442dae344791162e9057b99 258742 doc extra libshibsp-doc_2.5.2+dfsg-1_all.deb b37353b94119c9ae70f3050a895d68b1 26092 text extra shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRwPOWAAoJEH2AMVxXNt51hOgIAKUOeFZwC9ACPDaHAaTpHNgH 6sz5G8V0Lp9oTX5TIp3L59YynTM15aS1sGYgRkxkA+gxHGGVXq7dECr9/gnt5AvE qmy4WLGf33mwoxxEGaEJd41BVipKDUHkwmC7wLAEMrJpDWidQe+JfXRnGmnvA96U fDtRqjnQJIeRaoaBwkG3r7lAgTLHmLvUIr3LO9YsVHS6PLcDMcFS+40imApIvy+0 ofmnUZp1NUlRbAiOnnJkGOQPeAgi+ZoPpsh92HFmY6tW/nQBdYNLBKOoDplq6OZT AVz/eVxtQhPInaCeGynaYcdBhw/6M9jJAzfcYaYcjy3fF+aSHb35byYldVBtpYs= =I31+ -----END PGP SIGNATURE----- Russ Allbery (7): Add stub changelog entry for the 2.5.2 release Imported Upstream version 2.5.2+dfsg Merge tag 'upstream/2.5.2+dfsg' Add changelog, NEWS, and doc updates for 2.5.2 release Create /var/cache/shibboleth on install and remove it on purge Link FastCGI programs directly with libxmltooling-lite Finalize changes for 2.5.2+dfsg-1 ----------------------------------------------------------------------- -- Debian packaging for the 2.0 Apache Shibboleth SP From rra at debian.org Tue Jun 18 23:57:08 2013 From: rra at debian.org (Russ Allbery) Date: Tue, 18 Jun 2013 23:57:08 +0000 Subject: [SCM] Debian packaging for the 2.0 Apache Shibboleth SP annotated tag, upstream/2.5.2+dfsg, created. upstream/2.5.2+dfsg Message-ID: The annotated tag, upstream/2.5.2+dfsg has been created at be7bc5e407370dd16c45412e24e0181bdf7cd712 (tag) tagging 1554c253a6aae5af7a4a13aae06f858f4c01b32f (commit) replaces upstream/2.5.1+dfsg tagged by Russ Allbery on Tue Jun 18 11:13:45 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 2.5.2+dfsg Russ Allbery (1): Imported Upstream version 2.5.2+dfsg ----------------------------------------------------------------------- -- Debian packaging for the 2.0 Apache Shibboleth SP From ftpmaster at ftp-master.debian.org Wed Jun 19 00:03:28 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 19 Jun 2013 00:03:28 +0000 Subject: shibboleth-sp2_2.5.2+dfsg-1_i386.changes ACCEPTED into experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Jun 2013 16:42:34 -0700 Source: shibboleth-sp2 Binary: libapache2-mod-shib2 libshibsp6 libshibsp-dev libshibsp-doc shibboleth-sp2-schemas Architecture: source i386 all Version: 2.5.2+dfsg-1 Distribution: experimental Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libapache2-mod-shib2 - Federated web single sign-on system (Apache module) libshibsp-dev - Federated web single sign-on system (development) libshibsp-doc - Federated web single sign-on system (API docs) libshibsp6 - Federated web single sign-on system (runtime) shibboleth-sp2-schemas - Federated web single sign-on system (schemas) Changes: shibboleth-sp2 (2.5.2+dfsg-1) experimental; urgency=low . * New upstream release. - New shib-session and shib-user Require authentication types added, which should be used in preference to Require valid-user or Require user with Shibboleth authentication is desired. - New ShibCompatValidUser Apache directive, which works around the way that Shibboleth hooks into Require valid-user and Require user so that those directives will continue to work with non-Shibboleth authentication types. This directive will be needed for servers that use Shibboleth and other authentication methods and want to use Require valid-user or Require user with non-Shibboleth methods. - Fix implementation of shib-metagen -l. - Fix AttributeExtractor handling of multiple logos. - Fix metadata attribute extraction with non-ASCII characters. - Fix problems with Apache subrequests during server-side include handling of unprotected pages. - Add character set to DiscoFeed page header. - Avoid leaking shibd sockets to child processes. * Add NEWS entry for the authentication directive changes. * Update README.Debian instructions to add AuthType None to the URLs that have to be available to everyone and to use Require shib-session instead of Require valid-user. * Create /var/cache/shibboleth on install and remove it on purge. * Link the FastCGI programs with libxmltooling-lite since they call one of its interfaces directly. (This shows up as a build failure otherwise due to the Debian build rules use of --as-needed.) Checksums-Sha1: 87272501391461e59f850cf6ae848104f4725bd7 2271 shibboleth-sp2_2.5.2+dfsg-1.dsc cf2eeec82133559f48cb56244f11f0be5a157332 567568 shibboleth-sp2_2.5.2+dfsg.orig.tar.xz 9fa1de31c0b92bde95795e7ec3825a1ac74bfcfc 23560 shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz ad175864029f91a011bb11936c39d28d00263cd4 262532 libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb a293fd19499dfafcfc3945e434d19a3da833fb4d 813672 libshibsp6_2.5.2+dfsg-1_i386.deb a6de32134bb48ebb75cd4e58f409d76b7344b417 50766 libshibsp-dev_2.5.2+dfsg-1_i386.deb 858ec99d3ffe3a4d0b425d23e9a58b01c9e33b92 258742 libshibsp-doc_2.5.2+dfsg-1_all.deb 417c2444436c96670d56c8013d11a9c830f588f5 26092 shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb Checksums-Sha256: 074d01733742583e7354957027ef92f9c15043222eaeffc3679ab179032c6f26 2271 shibboleth-sp2_2.5.2+dfsg-1.dsc a6052082a34e825cf3e8952bb84098b6f9df05316dc571fe232aba920c74493e 567568 shibboleth-sp2_2.5.2+dfsg.orig.tar.xz fa82f1ae76f3e00bd276b9b5fdc0c84c919f09e53fe0334366073016d86d798a 23560 shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz 40679886ce5b948aa12b8bbdc860a0fb0238d48cc0af0170a5b62c5ebc811fdb 262532 libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb 01324334ed255a97f737b93d7a53875519b82d58e27cee363823c34165d72e1f 813672 libshibsp6_2.5.2+dfsg-1_i386.deb 723dd7f738b02b078ca60787ba074fd3bc26f40322f3e02d9c02d5a3435d4221 50766 libshibsp-dev_2.5.2+dfsg-1_i386.deb d7ce377314ae0349fb2797124be6dfb0974c603168da0e8db61c9f2990b99487 258742 libshibsp-doc_2.5.2+dfsg-1_all.deb 07d798e1bcc2009c2decce5953df836cef24aa704a515133e83d418cffa2520f 26092 shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb Files: 1a8e7ef48568f604a42bf7403c22bb43 2271 web extra shibboleth-sp2_2.5.2+dfsg-1.dsc 98edbfbb63ef36bc732c79ebb4a65313 567568 web extra shibboleth-sp2_2.5.2+dfsg.orig.tar.xz 6ced5a344bcc712c6059ae4ec77a74e3 23560 web extra shibboleth-sp2_2.5.2+dfsg-1.debian.tar.xz 43f709789c1be83bad8224c0b6052364 262532 httpd extra libapache2-mod-shib2_2.5.2+dfsg-1_i386.deb a15f76a4a077593be5ec61ab50252a34 813672 libs extra libshibsp6_2.5.2+dfsg-1_i386.deb 16d4045ee985e5779ed8269513af4a5e 50766 libdevel extra libshibsp-dev_2.5.2+dfsg-1_i386.deb fa5eee965442dae344791162e9057b99 258742 doc extra libshibsp-doc_2.5.2+dfsg-1_all.deb b37353b94119c9ae70f3050a895d68b1 26092 text extra shibboleth-sp2-schemas_2.5.2+dfsg-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRwPOoAAoJEH2AMVxXNt51++AIAJK6lJuyFlqL96eCSt7i3Hdb YH8/AU9oVPcRy9JBfak3tlT0v+dzlQINOWJbow4oCVh/qhTm5HWVzDn+/D58Exsk qH40bdZ1pVqBQ24fw0Grhp1bTU5zYGMo7plAyxiNkRJI/Mk2XpYyASkh1F4Odgeq NLDQJXauM30s6daQ7z0n4qyEsleKsrKp8Qn0t+94q9dOXJXO65ReVrUXa41TlyQC b3qNw0hR1xWuGa41Q5T+2NrAjciU4Y/FVoyGmav1Y8B1ewRn1ztrc2K4JC1iitRU kmbQbGk6FZCcTqJkiKLpTb1/FLJARVmAcG+2kVmQNWVxZ+nR0HV9bpNFD3m+5+c= =6YCt -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From noreply at release.debian.org Thu Jun 20 16:39:16 2013 From: noreply at release.debian.org (Debian testing watch) Date: Thu, 20 Jun 2013 16:39:16 +0000 Subject: xml-security-c 1.6.1-6 MIGRATED to testing Message-ID: FYI: The status of the xml-security-c source package in Debian's testing distribution has changed. Previous version: 1.6.1-5 Current version: 1.6.1-6 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See http://release.debian.org/testing-watch/ for more information. From ftpmaster at ftp-master.debian.org Thu Jun 20 22:17:05 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 20 Jun 2013 22:17:05 +0000 Subject: xml-security-c_1.6.1-5+deb7u1_i386.changes ACCEPTED into proposed-updates->stable-new, proposed-updates Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2013 22:25:32 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u1 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 672c4fe4d84e7a242039fce066dd0e48270db1b8 1813 xml-security-c_1.6.1-5+deb7u1.dsc 239304659752eb214f3516b6c457c99f0e6467c7 864366 xml-security-c_1.6.1.orig.tar.gz e02663825c4d0a2fe7eec4213debf7ec4f394054 11874 xml-security-c_1.6.1-5+deb7u1.debian.tar.gz 58d74341079e57ef9f70e54c6507c1205716855c 375248 libxml-security-c16_1.6.1-5+deb7u1_i386.deb 50b76eba534719931db9a90ca71c70964b562cd9 151234 libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Checksums-Sha256: 30c8e9b3c4080a46128eaa1f180ffb923205c2be7787909a17d78a82b5cd9484 1813 xml-security-c_1.6.1-5+deb7u1.dsc 73931a55d6925a82416ea48f8d6f1b8ed591368e1dfc30574fe43904b7c62fcd 864366 xml-security-c_1.6.1.orig.tar.gz 92d65c29ca6c41c79261ded82d2678efb79981aff2e138f41643acb0bb475639 11874 xml-security-c_1.6.1-5+deb7u1.debian.tar.gz d094000713051e96172328fad12d450e3c994240b63032e92101e4c6b0e52f32 375248 libxml-security-c16_1.6.1-5+deb7u1_i386.deb 0014888e3a485f34986aeae43832a9a1c97b85f0bdff4fd8d14d1ca28c4a2127 151234 libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb Files: 774319332f2f8881d79d18d99a407c84 1813 libs extra xml-security-c_1.6.1-5+deb7u1.dsc 808316c80a7453b6d50a0bceb7ebe9bc 864366 libs extra xml-security-c_1.6.1.orig.tar.gz 1395788da13ab0999ebdd2dfab74e73a 11874 libs extra xml-security-c_1.6.1-5+deb7u1.debian.tar.gz e7678e819e9f964c703e9961bc595f23 375248 libs extra libxml-security-c16_1.6.1-5+deb7u1_i386.deb eb14d6a5a5c59d0f111f5533c49118a5 151234 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRv/CfAAoJEH2AMVxXNt51dIUH/20gzEXtzDU8F4zBjX53D7Rz 3m9BTjIfs4f0KldFSnj6JKSS3zxbTHWJy+8rHyjNq6xaw6pFEFeSRisxoI+JZTHp VNmKSFYG10hMauPtXHp0lEVsAYyxiRe55JdMv8VHXy1Q+wJf209ydwO0aKbabOti IVtGuAV87Vtauq+hluDGYMEU2iFWvC0F+StPyJS1StyqoCKBPN97ZvgdzHPQeTYh dDOEHoCjmXRW1iEyhXHd/gBI0Jb9jmjPKVdSOSy+4xBDZP3D6qGIDaXxMSvvPHmL FMvb2GCkCWkSX/GoHGg4usQThkxtHlU7KqSuZnT8jclZR+o9qGzlsKquEYCFHiA= =BSqf -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Thu Jun 20 22:18:34 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 20 Jun 2013 22:18:34 +0000 Subject: xml-security-c_1.5.1-3+squeeze2_i386.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2013 22:32:25 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze2 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Changes: xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) Checksums-Sha1: 67c5be50327dc2e9116c9c769dee0e9eb9aeffc5 1670 xml-security-c_1.5.1-3+squeeze2.dsc 448c817fd7f23a7af95d8140c3acb873c4742ccd 11409 xml-security-c_1.5.1-3+squeeze2.diff.gz 56f6a0843ed407e7f1251fea0ffe55467531f767 353826 libxml-security-c15_1.5.1-3+squeeze2_i386.deb 440a28a29bbed621517031025dfb6fc2d8deeb7c 141818 libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Checksums-Sha256: c7d1e604f59223eb072c9afe44c541b7ef7fe284793335092ffa945aeaef5205 1670 xml-security-c_1.5.1-3+squeeze2.dsc 84a63e5ab73d1bb411ac13c37378321fa75aa99b6702293fffbee178bbd4865b 11409 xml-security-c_1.5.1-3+squeeze2.diff.gz a7f27e86e2699926ce4e77801190725939f2769b53e585f29167acfa361e6b88 353826 libxml-security-c15_1.5.1-3+squeeze2_i386.deb 9c245f62b344db23bf222dfe99ce82a42bc820ed72d0e054033919c5d4af8efb 141818 libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb Files: 911c68dd89f18793c4cc50fc34b77efa 1670 libs extra xml-security-c_1.5.1-3+squeeze2.dsc b89ef9b4f5e5b7fbf3cc47d7d313fe99 11409 libs extra xml-security-c_1.5.1-3+squeeze2.diff.gz f2810505d4c302e9d3773ba57ad6bf76 353826 libs extra libxml-security-c15_1.5.1-3+squeeze2_i386.deb 433a487e2e0c68589971bc1f4b9b6d43 141818 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRv/IIAAoJEH2AMVxXNt51jZsH/RVeZodvEArMO1CjyypWUGpI WW3aMHwjtiNJJUwMNP0LxMjFy23p6bsEDRN82nIPgvMAQc28VBLplrARwS3blYkS +ESCBAb0NTkSoLL4KGJh2c7j79b7U6idYkxfZBKvjzBElH+dMy19aNFZhTHeqVN4 AOuFP2uwrsT9ZqMLIo78+pWqA5DjDfGUwJ1zJhhEluAg/ezXXHCvoZsHXXeEGho4 60IBA8OoS3lABa9MbOhkMY+WowiO1pp8BS+YTovH2xSZNnnihyX+1g3Wrg194uCH gEwOqECDHdh4KXX9Cz1ePwGCP8gy4wyAVwf4m+xn1SHjVOrz9Gt0O3SUuA72YA8= =rajy -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From rra at stanford.edu Sun Jun 23 22:05:46 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:46 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.6-1-6-g5ce102f Message-ID: The following commit has been merged in the master branch: commit 3e71974bd176ed463d06f4a6d1a132f3e13a14a6 Merge: 2c8df896ad589359a03b9c9eb851c52d19b3fbda 150679a21778ad5ca29780febd6c4b2dc5ddd164 Author: Russ Allbery Date: Tue Jun 18 15:11:55 2013 -0700 Merge tag 'upstream/1.0.7' Upstream version 1.0.7 diff --combined configure.ac index 0cb4a65,36d981d..aad177f --- a/configure.ac +++ b/configure.ac @@@ -1,4 -1,4 +1,4 @@@ - AC_INIT(log4shib, 1.0.6) + AC_INIT(log4shib, 1.0.7) # autoconf 2.50 or higher to rebuild aclocal.m4, because the # AC_CREATE_PREFIX_CONFIG_H macro needs the AS_DIRNAME macro. @@@ -11,7 -11,7 +11,7 @@@ AC_PREREQ(2.50 # ? :+1 : ? == just some internal changes, nothing breaks but might work # better # CURRENT : REVISION : AGE - LT_VERSION=1:6:0 + LT_VERSION=1:7:0 AC_SUBST(LT_VERSION) @@@ -69,6 -69,29 +69,29 @@@ AC_LANG(C AC_CHECK_HEADERS([unistd.h]) AC_CHECK_HEADERS([io.h]) + + # Checks close-on-exec functionality + # ---------------------------------------------------------------------------- + AC_CHECK_DECL([O_CLOEXEC], + [AC_DEFINE([HAVE_O_CLOEXEC],[1],[Define to 1 if open supports O_CLOEXEC flag.])],, + [#include ]) + AC_CHECK_DECL([FD_CLOEXEC], + [AC_DEFINE([HAVE_FD_CLOEXEC],[1],[Define to 1 if fcntl supports FD_CLOEXEC flag.])],, + [#include ]) + AC_CACHE_CHECK([for SOCK_CLOEXEC support], [log_cv_sock_cloexec], + [AC_TRY_RUN([ + #include + #include + int main() + { + return socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0) == -1; + }], [log_cv_sock_cloexec=yes], [log_cv_sock_cloexec=no], [log_cv_sock_cloexec=no])]) + + if test "$log_cv_sock_cloexec" = "yes"; then + AC_DEFINE([HAVE_SOCK_CLOEXEC], 1, [Define if the SOCK_CLOEXEC flag is supported]) + fi + + # Checks local idioms # ---------------------------------------------------------------------------- AC_C_INT64_T @@@ -145,6 -168,7 +168,6 @@@ include/Makefil include/log4shib/Makefile include/log4shib/threading/Makefile tests/Makefile -debian/Makefile msvc6/Makefile msvc6/log4shib/Makefile msvc6/log4shibDLL/Makefile -- log4shib Debian packaging From rra at stanford.edu Sun Jun 23 22:05:46 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:46 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.6-1-6-g5ce102f Message-ID: The following commit has been merged in the master branch: commit cbfec725230bbdb32b2d54b8d978c9d90c371775 Author: Russ Allbery Date: Tue Jun 18 15:14:10 2013 -0700 Add changelog for upstream 1.0.7 release diff --git a/debian/changelog b/debian/changelog index f4b7e72..eddce2c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +log4shib (1.0.7-1) unstable; urgency=low + + * New upstream release. + - Mark log sockets close-on-exec. + + -- Russ Allbery Tue, 18 Jun 2013 15:14:06 -0700 + log4shib (1.0.6-1) unstable; urgency=low * New upstream release. -- log4shib Debian packaging From rra at stanford.edu Sun Jun 23 22:05:47 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:47 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.6-1-6-g5ce102f Message-ID: The following commit has been merged in the master branch: commit 5ce102f3f063163aa26b92d466428fc34452bac9 Author: Russ Allbery Date: Sun Jun 23 15:01:17 2013 -0700 Update release date for 1.0.7-1 diff --git a/debian/changelog b/debian/changelog index 8030307..87312d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,7 +5,7 @@ log4shib (1.0.7-1) unstable; urgency=low * Increase the buffer for the thread ID to handle platforms where a long is 64 bits. This should hopefully fix the FTBFS on ia64. - -- Russ Allbery Tue, 18 Jun 2013 16:02:09 -0700 + -- Russ Allbery Sun, 23 Jun 2013 15:01:10 -0700 log4shib (1.0.6-1) unstable; urgency=low -- log4shib Debian packaging From rra at stanford.edu Sun Jun 23 22:05:47 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:47 +0000 Subject: [SCM] log4shib Debian packaging branch, pristine-tar, updated. cff28249990ab6e3e243c2f1e03da9f6a5f63c2c Message-ID: The following commit has been merged in the pristine-tar branch: commit cff28249990ab6e3e243c2f1e03da9f6a5f63c2c Author: Russ Allbery Date: Tue Jun 18 15:11:54 2013 -0700 pristine-tar data for log4shib_1.0.7.orig.tar.gz diff --git a/log4shib_1.0.7.orig.tar.gz.delta b/log4shib_1.0.7.orig.tar.gz.delta new file mode 100644 index 0000000..4e90711 Binary files /dev/null and b/log4shib_1.0.7.orig.tar.gz.delta differ diff --git a/log4shib_1.0.7.orig.tar.gz.id b/log4shib_1.0.7.orig.tar.gz.id new file mode 100644 index 0000000..b831e35 --- /dev/null +++ b/log4shib_1.0.7.orig.tar.gz.id @@ -0,0 +1 @@ +0ed519cb55e95fe8a8f6515f9e7f43b8334a13cf -- log4shib Debian packaging From rra at stanford.edu Sun Jun 23 22:05:46 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:46 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.6-1-6-g5ce102f Message-ID: The following commit has been merged in the master branch: commit 592f36778042f6bec64c9cacb1f466120e7ae7f7 Author: Russ Allbery Date: Tue Jun 18 16:01:29 2013 -0700 Increase the buffer for storing the pthread ID * Increase the buffer for the thread ID to handle platforms where a long is 64 bits. This should hopefully fix the FTBFS on ia64. diff --git a/debian/changelog b/debian/changelog index eddce2c..8030307 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,10 @@ log4shib (1.0.7-1) unstable; urgency=low * New upstream release. - Mark log sockets close-on-exec. + * Increase the buffer for the thread ID to handle platforms where a long + is 64 bits. This should hopefully fix the FTBFS on ia64. - -- Russ Allbery Tue, 18 Jun 2013 15:14:06 -0700 + -- Russ Allbery Tue, 18 Jun 2013 16:02:09 -0700 log4shib (1.0.6-1) unstable; urgency=low diff --git a/src/PThreads.cpp b/src/PThreads.cpp index 334c89d..f862b51 100644 --- a/src/PThreads.cpp +++ b/src/PThreads.cpp @@ -6,8 +6,8 @@ namespace log4shib { namespace threading { std::string getThreadId() { - char buffer[16]; - ::sprintf(buffer, "%ld", pthread_self()); + char buffer[32]; + ::sprintf(buffer, "%ld", (long) pthread_self()); return std::string(buffer); } -- log4shib Debian packaging From rra at stanford.edu Sun Jun 23 22:05:52 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:52 +0000 Subject: [SCM] log4shib Debian packaging annotated tag, upstream/1.0.7, created. upstream/1.0.7 Message-ID: The annotated tag, upstream/1.0.7 has been created at cb50a32c008fba9370fdc080f26939912568f7a7 (tag) tagging 150679a21778ad5ca29780febd6c4b2dc5ddd164 (commit) replaces upstream/1.0.6 tagged by Russ Allbery on Tue Jun 18 15:11:54 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 1.0.7 Russ Allbery (1): Imported Upstream version 1.0.7 ----------------------------------------------------------------------- -- log4shib Debian packaging From rra at stanford.edu Sun Jun 23 22:05:52 2013 From: rra at stanford.edu (Russ Allbery) Date: Sun, 23 Jun 2013 22:05:52 +0000 Subject: [SCM] log4shib Debian packaging annotated tag, debian/1.0.7-1, created. debian/1.0.7-1 Message-ID: The annotated tag, debian/1.0.7-1 has been created at 18dd500d8a9a71c387a2ffd2bcdb10357abf1626 (tag) tagging 5ce102f3f063163aa26b92d466428fc34452bac9 (commit) replaces debian/1.0.6-1 tagged by Russ Allbery on Sun Jun 23 15:05:19 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.0.7-1 Format: 1.8 Date: Sun, 23 Jun 2013 15:01:10 -0700 Source: log4shib Binary: liblog4shib1 liblog4shib-dev liblog4shib-doc Architecture: source i386 all Version: 1.0.7-1 Distribution: unstable Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: liblog4shib-dev - log4j-style configurable logging library for C++ (development) liblog4shib-doc - log4j-style configurable logging library for C++ (API docs) liblog4shib1 - log4j-style configurable logging library for C++ (runtime) Changes: log4shib (1.0.7-1) unstable; urgency=low . * New upstream release. - Mark log sockets close-on-exec. * Increase the buffer for the thread ID to handle platforms where a long is 64 bits. This should hopefully fix the FTBFS on ia64. Checksums-Sha1: e61ffba556d5154115cb1a171e28e862480f3aa9 1208 log4shib_1.0.7-1.dsc 213832398a79f6279ecb38591096fa87d9520e00 572041 log4shib_1.0.7.orig.tar.gz 4190ecb8013ec11d2be973f379528cac8aa01452 8180 log4shib_1.0.7-1.debian.tar.xz edee9891141f71cbdb7e5d50df4386eccba15e02 80714 liblog4shib1_1.0.7-1_i386.deb c52662cc9377a20e57536e415e1f2ebd8c909931 118994 liblog4shib-dev_1.0.7-1_i386.deb b9ab297a7e1624d02579212e8a19e19fe0f43f87 11682272 liblog4shib-doc_1.0.7-1_all.deb Checksums-Sha256: 2f420130409bfe396cb5787bebb18fdcf7fcf4d0443dc39adfc3d780815b80a2 1208 log4shib_1.0.7-1.dsc bffc04065eed981b2e7cf2bd828d258bb89cfe450ecadfb11f6f555832b263ee 572041 log4shib_1.0.7.orig.tar.gz ad68a13b13d7d37be5c6dfa42bf5125a74147708b913d93cfb6485270aeb21a7 8180 log4shib_1.0.7-1.debian.tar.xz 4e7616fa973c0b88f4800728c7fa9714ec5297196ece0edcaa3ee4b9c93f1b36 80714 liblog4shib1_1.0.7-1_i386.deb 5bc70292624a545677e05247c263ff58702c8fa49c9d0c045b9de5f788bfee1c 118994 liblog4shib-dev_1.0.7-1_i386.deb 8f4e42bdaa8749c6f3e1068760bf8269ddd679e0ddff169790affc6926f4ec6b 11682272 liblog4shib-doc_1.0.7-1_all.deb Files: 28c8c2e828f862b7be092f57e9d2e65c 1208 libs extra log4shib_1.0.7-1.dsc bbe2d105ba7c2adb0ed7c97ac9a3766c 572041 libs extra log4shib_1.0.7.orig.tar.gz 974276759a39e8f6b18b0d65b08dcabd 8180 libs extra log4shib_1.0.7-1.debian.tar.xz f27a1d1480a5d90460e6cf13880f5806 80714 libs extra liblog4shib1_1.0.7-1_i386.deb 2a50118117a80822a054f975d1229763 118994 libdevel extra liblog4shib-dev_1.0.7-1_i386.deb 636339a50bd0b07707ed52552de689b1 11682272 doc extra liblog4shib-doc_1.0.7-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRx3EnAAoJEH2AMVxXNt512R4H/1YLLkbuHgK4/itI5ks/d7Lv APrrMzYAlDfzjOn0fIxO6qPluvC3KbM3w5/AFh8mG+3Ryi1GaJ73rJ+DWvzMvsLH qkypOdF04bf6IiQuuumB40TcT+SsLMx7jiWCMcPo2LDECWeOWupM0OTFL3TTrJCB 08/UXenY7vCOIC4RQvLnRUis5owkgPXBnLpn5ZqzhZct+rI5gBYqUBxlJJ6Mm5Z6 U4Aftq1ldiG35gDsE+0Z1uXyOPciZuntb0jLtc0xDilEGQeXOrFAU+clKcz/MYvg BvojJFLQxYLxxv7zVEvlll0YGuhIOOa8YNWnbhBSLy+GY3/KciW4K0Zys/j/TDM= =F9pf -----END PGP SIGNATURE----- Russ Allbery (6): Remove spurious configure.ac difference from upstream Imported Upstream version 1.0.7 Merge tag 'upstream/1.0.7' Add changelog for upstream 1.0.7 release Increase the buffer for storing the pthread ID Update release date for 1.0.7-1 ----------------------------------------------------------------------- -- log4shib Debian packaging From ftpmaster at ftp-master.debian.org Sun Jun 23 22:09:10 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 23 Jun 2013 22:09:10 +0000 Subject: Processing of log4shib_1.0.7-1_i386.changes Message-ID: log4shib_1.0.7-1_i386.changes uploaded successfully to localhost along with the files: log4shib_1.0.7-1.dsc log4shib_1.0.7.orig.tar.gz log4shib_1.0.7-1.debian.tar.xz liblog4shib1_1.0.7-1_i386.deb liblog4shib-dev_1.0.7-1_i386.deb liblog4shib-doc_1.0.7-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Sun Jun 23 22:19:58 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 23 Jun 2013 22:19:58 +0000 Subject: log4shib_1.0.7-1_i386.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 23 Jun 2013 15:01:10 -0700 Source: log4shib Binary: liblog4shib1 liblog4shib-dev liblog4shib-doc Architecture: source i386 all Version: 1.0.7-1 Distribution: unstable Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: liblog4shib-dev - log4j-style configurable logging library for C++ (development) liblog4shib-doc - log4j-style configurable logging library for C++ (API docs) liblog4shib1 - log4j-style configurable logging library for C++ (runtime) Changes: log4shib (1.0.7-1) unstable; urgency=low . * New upstream release. - Mark log sockets close-on-exec. * Increase the buffer for the thread ID to handle platforms where a long is 64 bits. This should hopefully fix the FTBFS on ia64. Checksums-Sha1: 43528f98258f34342ab74139f0231501668cf003 1748 log4shib_1.0.7-1.dsc 213832398a79f6279ecb38591096fa87d9520e00 572041 log4shib_1.0.7.orig.tar.gz 4190ecb8013ec11d2be973f379528cac8aa01452 8180 log4shib_1.0.7-1.debian.tar.xz edee9891141f71cbdb7e5d50df4386eccba15e02 80714 liblog4shib1_1.0.7-1_i386.deb c52662cc9377a20e57536e415e1f2ebd8c909931 118994 liblog4shib-dev_1.0.7-1_i386.deb b9ab297a7e1624d02579212e8a19e19fe0f43f87 11682272 liblog4shib-doc_1.0.7-1_all.deb Checksums-Sha256: 7d99fc03ddcf45df6ec21672ecb16faa0ffcb24f2b0bfb7b587b379f3ab02f44 1748 log4shib_1.0.7-1.dsc bffc04065eed981b2e7cf2bd828d258bb89cfe450ecadfb11f6f555832b263ee 572041 log4shib_1.0.7.orig.tar.gz ad68a13b13d7d37be5c6dfa42bf5125a74147708b913d93cfb6485270aeb21a7 8180 log4shib_1.0.7-1.debian.tar.xz 4e7616fa973c0b88f4800728c7fa9714ec5297196ece0edcaa3ee4b9c93f1b36 80714 liblog4shib1_1.0.7-1_i386.deb 5bc70292624a545677e05247c263ff58702c8fa49c9d0c045b9de5f788bfee1c 118994 liblog4shib-dev_1.0.7-1_i386.deb 8f4e42bdaa8749c6f3e1068760bf8269ddd679e0ddff169790affc6926f4ec6b 11682272 liblog4shib-doc_1.0.7-1_all.deb Files: 27a7fd2de4a038280d304fb9727b85cd 1748 libs extra log4shib_1.0.7-1.dsc bbe2d105ba7c2adb0ed7c97ac9a3766c 572041 libs extra log4shib_1.0.7.orig.tar.gz 974276759a39e8f6b18b0d65b08dcabd 8180 libs extra log4shib_1.0.7-1.debian.tar.xz f27a1d1480a5d90460e6cf13880f5806 80714 libs extra liblog4shib1_1.0.7-1_i386.deb 2a50118117a80822a054f975d1229763 118994 libdevel extra liblog4shib-dev_1.0.7-1_i386.deb 636339a50bd0b07707ed52552de689b1 11682272 doc extra liblog4shib-doc_1.0.7-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRx3FHAAoJEH2AMVxXNt51LJcIALbJsO3wetD4yTEgfVl0pNz+ jWwb9QD3A1NDbiXuqSJW7bTlO+AgcEIHTvr1WlkZVM1LqgP/+uKTqu1U3fZIHegW H1YxFTxPAp0vQ+PqqUHKdqEVscU/7BpCeQEV+pis0/nAGOeNO0ucr2OPyB9SRaYw d4jkya9dupXtlWySuCL5ujZRrarrlLXJF6b20Hs5jGXTJt6CkzwOzacpVHFJlqPv Hym1Lxf93Y4PtWjMMYjoRGeOebMjG0wh+bi1rexf9ZuWyu+Cv5BleAzD4SvfJXaO ldkDZjOxNUNkMqC015F0DpJYQsKOtoJcQnns8jZ3AbGnF8lSmC46X3nsYosT7Ak= =JknS -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Mon Jun 24 11:17:47 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Mon, 24 Jun 2013 11:17:47 +0000 Subject: xml-security-c_1.6.1-5+deb7u1~bpo60+1_i386.changes ACCEPTED into squeeze-backports->backports-policy, squeeze-backports Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Jun 2013 10:39:10 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u1~bpo60+1 Distribution: squeeze-backports Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 656658 Changes: xml-security-c (1.6.1-5+deb7u1~bpo60+1) squeeze-backports; urgency=high . * Backport to oldstable. * Revert the change to use multiarch and force a non-multiarch libdir. * Relax versioned dependency on libssl-dev to build on squeeze. . xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high . * Apply upstream patch to fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) * Apply upstream patch to fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) * Apply upstream patch to fix processing of the output length of an HMAC-based XML Signature that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) * Apply upstream patch to fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) . xml-security-c (1.6.1-5) unstable; urgency=low . * Revert changes to add symbols file. Due to churn in weak symbols for inlined functions, it doesn't appear maintainanable with existing tools, and for this library the shlibs behavior seems sufficient. * Minor update to the format of the debian/copyright file. . xml-security-c (1.6.1-4) unstable; urgency=low . * Update symbols files for all non-i386 architectures currently built by the buildds except mipsel (which will hopefully be the same as mips). * Build-Depend on pkg-kde-tools and use its symbolhelper plugin so that the package can use the output of pkgkde-symbolshelper. . xml-security-c (1.6.1-3) unstable; urgency=low . * Also enable bindnow hardening build flags and use the correct syntax to add additional hardening flags. * Add symbols file constructed with pkgkde-symbolshelper. Add a README.source file with a pointer to the documentation. . xml-security-c (1.6.1-2) unstable; urgency=low . * Update to debhelper compatibility level V9. - Enable hardening build flags. (Closes: #656658) - Enable multiarch support. Checksums-Sha1: 960a84ee63c4b7ccdf098fc9de6552e9885be85b 1743 xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc 58855d31c6aabc112165e2f35116589e84b3d9f9 12203 xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 09ea23c1d08e42ca3143ae7eb81591e3fc1b712d 384304 libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb 5e90bf5b17d1dd65f972f360b3dc3d3203be160f 151282 libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Checksums-Sha256: 4bb24c43352f89c08e1aa00a5653fa071b533302d79695a2fdc6580ae6131486 1743 xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc ee43548db383216aa01a2703c63c0e247be4ede97d267de4d007747c36b7e0b5 12203 xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 7d37fd65ecc0c4f847786f1805e8b56d2e2f7756c1c577a9ae632d0755cfeda0 384304 libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb 49b5db1a76369d219e8c09885815c5647cb0281b594ff802446b1482c7ef4a76 151282 libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb Files: 4dd12b52976d3b57a182ced695922a5b 1743 libs extra xml-security-c_1.6.1-5+deb7u1~bpo60+1.dsc 015223ec5a23f87d2a47a2535b46d21c 12203 libs extra xml-security-c_1.6.1-5+deb7u1~bpo60+1.debian.tar.gz 977abbbceff52e69802988ea4f4de7ab 384304 libs extra libxml-security-c16_1.6.1-5+deb7u1~bpo60+1_i386.deb bc244e9a8d0dfb14883cf54e45161ac0 151282 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u1~bpo60+1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRwJ6tAAoJEH2AMVxXNt513RMH+wdf3M3khUcsY+idoXwu7awW 1+PeZDEKX9s5cmKcBYNR3PJA+7dGw/S5xwOnBn+iDfEM6N0YpFFeqn7ZBJ7PQ/zj zkeqdpVidWwgg3YXbrjeFPL4u00geLhdqiyqupwYS4bxyuWMGABDaTqV9TEWiQMg RmdYdMUD+JYV6OZFULR9R9uAlPWcRSyy+iubC/PQHyxyeA4oINEEnQNGWjDtjtRf zHGjhitEIjiJfi1OTFILWJoSjTjTl1ejwdrTbp7XUopOIWaesAv6lwxyJS95F6h5 ZwNyQhRD/fCrweJUTHcx/OBaxUPadaPX+7/W8Hg8OJ5nQmJ766sA9puCYQ6mTSY= =zKy3 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From rra at stanford.edu Tue Jun 25 23:25:09 2013 From: rra at stanford.edu (Russ Allbery) Date: Tue, 25 Jun 2013 23:25:09 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.7-1-4-g005c022 Message-ID: The following commit has been merged in the master branch: commit ebfeb590b23d90b2d72f2a23d64d068099c350b5 Merge: 5ce102f3f063163aa26b92d466428fc34452bac9 7a6bff033e404893ee31e13ea7a54703b651d0c2 Author: Russ Allbery Date: Tue Jun 25 15:59:05 2013 -0700 Merge tag 'upstream/1.0.8' Upstream version 1.0.8 Conflicts: src/PThreads.cpp diff --combined configure.ac index aad177f,f7157da..f372944 --- a/configure.ac +++ b/configure.ac @@@ -1,4 -1,4 +1,4 @@@ - AC_INIT(log4shib, 1.0.7) + AC_INIT(log4shib, 1.0.8) # autoconf 2.50 or higher to rebuild aclocal.m4, because the # AC_CREATE_PREFIX_CONFIG_H macro needs the AS_DIRNAME macro. @@@ -11,7 -11,7 +11,7 @@@ AC_PREREQ(2.50 # ? :+1 : ? == just some internal changes, nothing breaks but might work # better # CURRENT : REVISION : AGE - LT_VERSION=1:7:0 + LT_VERSION=1:8:0 AC_SUBST(LT_VERSION) @@@ -168,6 -168,7 +168,6 @@@ include/Makefil include/log4shib/Makefile include/log4shib/threading/Makefile tests/Makefile -debian/Makefile msvc6/Makefile msvc6/log4shib/Makefile msvc6/log4shibDLL/Makefile -- log4shib Debian packaging From rra at stanford.edu Tue Jun 25 23:25:10 2013 From: rra at stanford.edu (Russ Allbery) Date: Tue, 25 Jun 2013 23:25:10 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.7-1-4-g005c022 Message-ID: The following commit has been merged in the master branch: commit 005c022e0fb91c6a9caf6ae83b6858d163b6d869 Author: Russ Allbery Date: Tue Jun 25 16:11:56 2013 -0700 Move doxygen and graphviz to Build-Depends-Indep * Move doxygen and graphviz to Build-Depends-Indep now that the buildds have proper arch-specific build support. The upstream build system should automatically decline to build the documentation if those packages aren't installed. diff --git a/debian/changelog b/debian/changelog index e92fe2f..8524406 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,12 @@ log4shib (1.0.8-1) unstable; urgency=low * New upstream release. - Use upstream fix for converting the thread ID to a string. + * Move doxygen and graphviz to Build-Depends-Indep now that the buildds + have proper arch-specific build support. The upstream build system + should automatically decline to build the documentation if those + packages aren't installed. - -- Russ Allbery Tue, 25 Jun 2013 16:00:04 -0700 + -- Russ Allbery Tue, 25 Jun 2013 16:11:47 -0700 log4shib (1.0.7-1) unstable; urgency=low diff --git a/debian/control b/debian/control index 286097b..e46c657 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,8 @@ Section: libs Priority: extra Maintainer: Debian Shib Team Uploaders: Russ Allbery -Build-Depends: debhelper (>= 9), dh-autoreconf, doxygen, graphviz, perl +Build-Depends: debhelper (>= 9), dh-autoreconf, perl +Build-Depends-Indep: doxygen, graphviz Standards-Version: 3.9.4 Homepage: https://wiki.shibboleth.net/confluence/display/OpenSAML/log4shib Vcs-Git: git://anonscm.debian.org/pkg-shibboleth/log4shib.git -- log4shib Debian packaging From rra at stanford.edu Tue Jun 25 23:25:09 2013 From: rra at stanford.edu (Russ Allbery) Date: Tue, 25 Jun 2013 23:25:09 +0000 Subject: [SCM] log4shib Debian packaging branch, master, updated. debian/1.0.7-1-4-g005c022 Message-ID: The following commit has been merged in the master branch: commit 0534ce8277586c40ef6aa6657f7c8cd863b5544c Author: Russ Allbery Date: Tue Jun 25 16:00:10 2013 -0700 Add changelog for upstream 1.0.8 release diff --git a/debian/changelog b/debian/changelog index 87312d4..e92fe2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +log4shib (1.0.8-1) unstable; urgency=low + + * New upstream release. + - Use upstream fix for converting the thread ID to a string. + + -- Russ Allbery Tue, 25 Jun 2013 16:00:04 -0700 + log4shib (1.0.7-1) unstable; urgency=low * New upstream release. -- log4shib Debian packaging From rra at stanford.edu Tue Jun 25 23:25:10 2013 From: rra at stanford.edu (Russ Allbery) Date: Tue, 25 Jun 2013 23:25:10 +0000 Subject: [SCM] log4shib Debian packaging branch, pristine-tar, updated. f15163c2bb9fa8b9dca090f137e110c3aade6c70 Message-ID: The following commit has been merged in the pristine-tar branch: commit f15163c2bb9fa8b9dca090f137e110c3aade6c70 Author: Russ Allbery Date: Tue Jun 25 15:58:36 2013 -0700 pristine-tar data for log4shib_1.0.8.orig.tar.gz diff --git a/log4shib_1.0.8.orig.tar.gz.delta b/log4shib_1.0.8.orig.tar.gz.delta new file mode 100644 index 0000000..1ebf45e Binary files /dev/null and b/log4shib_1.0.8.orig.tar.gz.delta differ diff --git a/log4shib_1.0.8.orig.tar.gz.id b/log4shib_1.0.8.orig.tar.gz.id new file mode 100644 index 0000000..8381be7 --- /dev/null +++ b/log4shib_1.0.8.orig.tar.gz.id @@ -0,0 +1 @@ +918d85cd7bb0a55c0f08117a832bad069f1a87db -- log4shib Debian packaging From rra at stanford.edu Tue Jun 25 23:25:17 2013 From: rra at stanford.edu (Russ Allbery) Date: Tue, 25 Jun 2013 23:25:17 +0000 Subject: [SCM] log4shib Debian packaging annotated tag, upstream/1.0.8, created. upstream/1.0.8 Message-ID: The annotated tag, upstream/1.0.8 has been created at 31568d2455947818e9b8ea7d15e9c7a88382d8a9 (tag) tagging 7a6bff033e404893ee31e13ea7a54703b651d0c2 (commit) replaces upstream/1.0.7 tagged by Russ Allbery on Tue Jun 25 15:58:36 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 1.0.8 Russ Allbery (1): Imported Upstream version 1.0.8 ----------------------------------------------------------------------- -- log4shib Debian packaging From rra at stanford.edu Tue Jun 25 23:25:17 2013 From: rra at stanford.edu (Russ Allbery) Date: Tue, 25 Jun 2013 23:25:17 +0000 Subject: [SCM] log4shib Debian packaging annotated tag, debian/1.0.8-1, created. debian/1.0.8-1 Message-ID: The annotated tag, debian/1.0.8-1 has been created at be901e7b1c5ec7d5db4a2350ac8d6e7edbd40ca4 (tag) tagging 005c022e0fb91c6a9caf6ae83b6858d163b6d869 (commit) replaces debian/1.0.7-1 tagged by Russ Allbery on Tue Jun 25 16:24:42 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.0.8-1 Format: 1.8 Date: Tue, 25 Jun 2013 16:11:47 -0700 Source: log4shib Binary: liblog4shib1 liblog4shib-dev liblog4shib-doc Architecture: source i386 all Version: 1.0.8-1 Distribution: unstable Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: liblog4shib-dev - log4j-style configurable logging library for C++ (development) liblog4shib-doc - log4j-style configurable logging library for C++ (API docs) liblog4shib1 - log4j-style configurable logging library for C++ (runtime) Changes: log4shib (1.0.8-1) unstable; urgency=low . * New upstream release. - Use upstream fix for converting the thread ID to a string. * Move doxygen and graphviz to Build-Depends-Indep now that the buildds have proper arch-specific build support. The upstream build system should automatically decline to build the documentation if those packages aren't installed. Checksums-Sha1: 0a9bf019cbb854b187e52d6c1823e544f3f261a0 1228 log4shib_1.0.8-1.dsc 407c70935917a59034acba4e63803d32465af641 572040 log4shib_1.0.8.orig.tar.gz 1c1de14f67a5f0f7dc4ea1ba4b0e9bb9fd38256d 8152 log4shib_1.0.8-1.debian.tar.xz b3040f900e7cd88beb36bc397e7346e98c58da2a 79664 liblog4shib1_1.0.8-1_i386.deb 4776578fc8546b9be72df1aa91188576a547cd14 119882 liblog4shib-dev_1.0.8-1_i386.deb 739e54046cec7581b5337b04d5a9e081f2ba0421 11701836 liblog4shib-doc_1.0.8-1_all.deb Checksums-Sha256: 62834a14413bfc61a6a34f67d01fc5c6de9e4f38cb33af995f82455d85a9edd7 1228 log4shib_1.0.8-1.dsc 91d7fc75f3b401aa3934eeffe0f449f55a0766fff567a8e30e861c39dca456e4 572040 log4shib_1.0.8.orig.tar.gz a022d96c8b720936e1cf6c2f2a27d7f5d51c96c1779bd6b15651b03527865748 8152 log4shib_1.0.8-1.debian.tar.xz d9b77c68ae58c6906bf5fd67083ae08fa481403c40758b0bd26f9b39b85fad1f 79664 liblog4shib1_1.0.8-1_i386.deb 56fe676fe81f8001d6463085daba058065d507d8398d5be945de6523f4055438 119882 liblog4shib-dev_1.0.8-1_i386.deb 2b8fdff7c987dbdfed974b83100da1dea2620fd4b3a55605adc8c007751dda23 11701836 liblog4shib-doc_1.0.8-1_all.deb Files: c95e0ea112f07a29de208c7e3d73ade1 1228 libs extra log4shib_1.0.8-1.dsc 27a16e680c9339a9f8aa08cbe463812f 572040 libs extra log4shib_1.0.8.orig.tar.gz 2a50b968599372b558c1393fe367522d 8152 libs extra log4shib_1.0.8-1.debian.tar.xz d76ae90103d97efa23599495b8b0ed3b 79664 libs extra liblog4shib1_1.0.8-1_i386.deb 976319849059b1d82ff0c2e3c178a683 119882 libdevel extra liblog4shib-dev_1.0.8-1_i386.deb 8af91e497e1bd07b9350d042d400a6b6 11701836 doc extra liblog4shib-doc_1.0.8-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRyibBAAoJEH2AMVxXNt51pOYH/0LBH5fgzMXGZDHl8EUsmJfB Dhl755Q9Tw1ZWtb9toD5+lRsOzak2Urq4ncgVteoDCWc4peQyHRFE67mVTTeYgsv +o4gSuU/ZkI8n+xchfXfCQlcKnNBT7mK+jQ0O07D4/Je6kFZ8eEfsC+lHJxNWwap 492kS5XXKlK232DRbeJFFPdjWWXCIcRiHuH0M+IfyyyUPp1IY7D1Lxma3YVfGOWU e2oyp5CtOSXgkussiXlaCuJFimoQEpTYxeedWHGT2dgPT3i0qvoodGNSwUNbG4eS QXljX8UvYM4sbL391SaeV4wJ5R2dd4Grw+GAR1YzCNyhSH4tJMGS7SrQHVBcgko= =C1Sx -----END PGP SIGNATURE----- Russ Allbery (4): Imported Upstream version 1.0.8 Merge tag 'upstream/1.0.8' Add changelog for upstream 1.0.8 release Move doxygen and graphviz to Build-Depends-Indep ----------------------------------------------------------------------- -- log4shib Debian packaging From ftpmaster at ftp-master.debian.org Tue Jun 25 23:27:36 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 25 Jun 2013 23:27:36 +0000 Subject: Processing of log4shib_1.0.8-1_i386.changes Message-ID: log4shib_1.0.8-1_i386.changes uploaded successfully to localhost along with the files: log4shib_1.0.8-1.dsc log4shib_1.0.8.orig.tar.gz log4shib_1.0.8-1.debian.tar.xz liblog4shib1_1.0.8-1_i386.deb liblog4shib-dev_1.0.8-1_i386.deb liblog4shib-doc_1.0.8-1_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Jun 25 23:33:15 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 25 Jun 2013 23:33:15 +0000 Subject: log4shib_1.0.8-1_i386.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 25 Jun 2013 16:11:47 -0700 Source: log4shib Binary: liblog4shib1 liblog4shib-dev liblog4shib-doc Architecture: source i386 all Version: 1.0.8-1 Distribution: unstable Urgency: low Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: liblog4shib-dev - log4j-style configurable logging library for C++ (development) liblog4shib-doc - log4j-style configurable logging library for C++ (API docs) liblog4shib1 - log4j-style configurable logging library for C++ (runtime) Changes: log4shib (1.0.8-1) unstable; urgency=low . * New upstream release. - Use upstream fix for converting the thread ID to a string. * Move doxygen and graphviz to Build-Depends-Indep now that the buildds have proper arch-specific build support. The upstream build system should automatically decline to build the documentation if those packages aren't installed. Checksums-Sha1: a01c09dce2225d664400a4c5c4a8499103e3c609 1768 log4shib_1.0.8-1.dsc 407c70935917a59034acba4e63803d32465af641 572040 log4shib_1.0.8.orig.tar.gz 1c1de14f67a5f0f7dc4ea1ba4b0e9bb9fd38256d 8152 log4shib_1.0.8-1.debian.tar.xz b3040f900e7cd88beb36bc397e7346e98c58da2a 79664 liblog4shib1_1.0.8-1_i386.deb 4776578fc8546b9be72df1aa91188576a547cd14 119882 liblog4shib-dev_1.0.8-1_i386.deb 739e54046cec7581b5337b04d5a9e081f2ba0421 11701836 liblog4shib-doc_1.0.8-1_all.deb Checksums-Sha256: 27136f3c6cab032c17d3e7b4f3a901ec042155c57e600397d5cfd20d121d8fa4 1768 log4shib_1.0.8-1.dsc 91d7fc75f3b401aa3934eeffe0f449f55a0766fff567a8e30e861c39dca456e4 572040 log4shib_1.0.8.orig.tar.gz a022d96c8b720936e1cf6c2f2a27d7f5d51c96c1779bd6b15651b03527865748 8152 log4shib_1.0.8-1.debian.tar.xz d9b77c68ae58c6906bf5fd67083ae08fa481403c40758b0bd26f9b39b85fad1f 79664 liblog4shib1_1.0.8-1_i386.deb 56fe676fe81f8001d6463085daba058065d507d8398d5be945de6523f4055438 119882 liblog4shib-dev_1.0.8-1_i386.deb 2b8fdff7c987dbdfed974b83100da1dea2620fd4b3a55605adc8c007751dda23 11701836 liblog4shib-doc_1.0.8-1_all.deb Files: d31fd3c159b7b9303a30cd1d6741290c 1768 libs extra log4shib_1.0.8-1.dsc 27a16e680c9339a9f8aa08cbe463812f 572040 libs extra log4shib_1.0.8.orig.tar.gz 2a50b968599372b558c1393fe367522d 8152 libs extra log4shib_1.0.8-1.debian.tar.xz d76ae90103d97efa23599495b8b0ed3b 79664 libs extra liblog4shib1_1.0.8-1_i386.deb 976319849059b1d82ff0c2e3c178a683 119882 libdevel extra liblog4shib-dev_1.0.8-1_i386.deb 8af91e497e1bd07b9350d042d400a6b6 11701836 doc extra liblog4shib-doc_1.0.8-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRyibkAAoJEH2AMVxXNt51rFMH/2oE0jcRVL2PGYQV5Eh0BBUl jOS8W+keTxKJaDgO8sHkhTtblCc1J/dVhcj+dutsh8Qh8qye9gH77gVtvHqjusM7 gZy8zRpGSrfrKIMouUqYKYxZ4b9j7x9VomKeOjyM75odOVC3yM63dF2+dRam8fS2 7PXqiISUVo9nXQ+uvBQ0HBMfo13Wx4tUQ8ItOSCPXBPcdF0s1vTFH1pO4iePVews fDIQdKAt35zNavZioCgK9oQ0miJididq6GfibzDywi3FpmElqv5159OCmAMQ1g8l unOIoz3HAl7AxlFy0TwPARN2WbTX7R9u82Cec749CoSO5n8TbloNy4cUWrsaf3c= =ycOW -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From carnil at debian.org Thu Jun 27 07:01:26 2013 From: carnil at debian.org (Salvatore Bonaccorso) Date: Thu, 27 Jun 2013 09:01:26 +0200 Subject: Bug#714241: xml-security-c: CVE-2013-2210 Message-ID: <20130627070126.5451.9078.reportbug@elende.valinor.li> Package: xml-security-c Severity: grave Tags: security patch Justification: user security hole Hi Russ, the following vulnerability was published for xml-security-c. It looks the fix for CVE-2013-2154 introduced the possibility of a heap overflow. CVE-2013-2210[0]: heap overflow during XPointer evaluation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 http://security-tracker.debian.org/tracker/CVE-2013-2210 [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt [2] http://svn.apache.org/viewvc?view=revision&revision=r1496703 Could you double check this, and prepare packages for squeeze and wheezy too? Regards, Salvatore From rra at debian.org Thu Jun 27 17:26:24 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 10:26:24 -0700 Subject: Bug#714241: xml-security-c: CVE-2013-2210 In-Reply-To: <20130627070126.5451.9078.reportbug@elende.valinor.li> (Salvatore Bonaccorso's message of "Thu, 27 Jun 2013 09:01:26 +0200") References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: <871u7n1n3z.fsf@windlord.stanford.edu> Salvatore Bonaccorso writes: > the following vulnerability was published for xml-security-c. It looks > the fix for CVE-2013-2154 introduced the possibility of a heap overflow. > CVE-2013-2210[0]: > heap overflow during XPointer evaluation Yeah, thanks -- working on this today. I was going to work on it yesterday but then something else I was working on didn't go as planned. -- Russ Allbery (rra at debian.org) From rra at debian.org Thu Jun 27 17:26:24 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 10:26:24 -0700 Subject: Bug#714241: xml-security-c: CVE-2013-2210 In-Reply-To: <20130627070126.5451.9078.reportbug@elende.valinor.li> (Salvatore Bonaccorso's message of "Thu, 27 Jun 2013 09:01:26 +0200") References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: <871u7n1n3z.fsf@windlord.stanford.edu> Salvatore Bonaccorso writes: > the following vulnerability was published for xml-security-c. It looks > the fix for CVE-2013-2154 introduced the possibility of a heap overflow. > CVE-2013-2210[0]: > heap overflow during XPointer evaluation Yeah, thanks -- working on this today. I was going to work on it yesterday but then something else I was working on didn't go as planned. -- Russ Allbery (rra at debian.org) From ftpmaster at ftp-master.debian.org Thu Jun 27 20:26:56 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 27 Jun 2013 20:26:56 +0000 Subject: Processing of xml-security-c_1.7.2-1_i386.changes Message-ID: xml-security-c_1.7.2-1_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.7.2-1.dsc xml-security-c_1.7.2.orig.tar.gz xml-security-c_1.7.2-1.debian.tar.xz libxml-security-c17_1.7.2-1_i386.deb libxml-security-c-dev_1.7.2-1_i386.deb xml-security-c-utils_1.7.2-1_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From rra at debian.org Thu Jun 27 20:53:27 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:27 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.1-1-5-g071f1b6 Message-ID: The following commit has been merged in the master branch: commit a866e3bc4548b6a50fc1ac4bc8e481094e5cd98c Merge: bbed522d0c134a702188b4a58dd4ef97c6ea6256 fb529b476e4fb5544134b1223cb9102a25705790 Author: Russ Allbery Date: Thu Jun 27 12:49:50 2013 -0700 Merge tag 'upstream/1.7.2' Upstream version 1.7.2 diff --combined xsec/Makefile.am index 442069d,7c48495..850ce94 --- a/xsec/Makefile.am +++ b/xsec/Makefile.am @@@ -69,42 -69,42 +69,42 @@@ tools # xtest -tools += xtest -xtest_SOURCES = \ +tools += xsec-xtest +xsec_xtest_SOURCES = \ tools/xtest/xtest.cpp -tools += c14n -c14n_SOURCES = \ +tools += xsec-c14n +xsec_c14n_SOURCES = \ tools/c14n/c14n.cpp -tools += checksig -checksig_SOURCES = \ +tools += xsec-checksig +xsec_checksig_SOURCES = \ tools/checksig/checksig.cpp \ tools/checksig/AnonymousResolver.hpp \ tools/checksig/AnonymousResolver.cpp \ tools/checksig/InteropResolver.hpp \ tools/checksig/InteropResolver.cpp -tools += templatesign -templatesign_SOURCES = \ +tools += xsec-templatesign +xsec_templatesign_SOURCES = \ tools/templatesign/templatesign.cpp -tools += txfmout -txfmout_SOURCES = \ +tools += xsec-txfmout +xsec_txfmout_SOURCES = \ tools/txfmout/txfmout.cpp -tools += siginf -siginf_SOURCES = \ +tools += xsec-siginf +xsec_siginf_SOURCES = \ tools/siginf/siginf.cpp -tools += cipher -cipher_SOURCES = \ +tools += xsec-cipher +xsec_cipher_SOURCES = \ tools/cipher/cipher.cpp \ tools/cipher/XencInteropResolver.hpp \ tools/cipher/XencInteropResolver.cpp -tools += xklient -xklient_SOURCES = \ +tools += xsec-xklient +xsec_xklient_SOURCES = \ tools/xklient/xklient.cpp @@@ -590,7 -590,7 +590,7 @@@ nss_sources = # # Now the library specific build items # - libxml_security_c_la_LDFLAGS = -version-info 17:1:0 + libxml_security_c_la_LDFLAGS = -version-info 17:2:0 install-exec-hook: for la in $(lib_LTLIBRARIES) ; do rm -f $(DESTDIR)$(libdir)/$$la ; done -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:27 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:27 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.1-1-5-g071f1b6 Message-ID: The following commit has been merged in the master branch: commit 1e15db8da40083a1792d6748c4a09d4ba9bd5e49 Author: Russ Allbery Date: Thu Jun 27 12:51:48 2013 -0700 Add changelog for upstream 1.7.2 release diff --git a/debian/changelog b/debian/changelog index 096fab3..28b6c41 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +xml-security-c (1.7.2-1) UNRELEASED; urgency=high + + * New upstream release. + - The attempted fix to address CVE-2013-2154 introduced the + possibility of a heap overflow, possibly leading to arbitrary code + execution, in the processing of malformed XPointer expressions in + the XML Signature Reference processing code. Fix that heap + overflow. (CVE-2013-2210) + + -- Russ Allbery Thu, 27 Jun 2013 12:52:06 -0700 + xml-security-c (1.7.1-1) experimental; urgency=high * New upstream release. -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:27 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:27 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.1-1-5-g071f1b6 Message-ID: The following commit has been merged in the master branch: commit 94d90ae981b05837ad246cdf4c8fecdae2f93e17 Author: Russ Allbery Date: Thu Jun 27 13:01:47 2013 -0700 Finalize changes for 1.7.2-1 diff --git a/debian/changelog b/debian/changelog index 28b6c41..c24cb32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xml-security-c (1.7.2-1) UNRELEASED; urgency=high +xml-security-c (1.7.2-1) experimental; urgency=high * New upstream release. - The attempted fix to address CVE-2013-2154 introduced the @@ -7,7 +7,7 @@ xml-security-c (1.7.2-1) UNRELEASED; urgency=high the XML Signature Reference processing code. Fix that heap overflow. (CVE-2013-2210) - -- Russ Allbery Thu, 27 Jun 2013 12:52:06 -0700 + -- Russ Allbery Thu, 27 Jun 2013 13:00:54 -0700 xml-security-c (1.7.1-1) experimental; urgency=high -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:27 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:27 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.1-1-5-g071f1b6 Message-ID: The following commit has been merged in the master branch: commit 071f1b6af9fff1d57218bf1b5e58ddf0b0d1acb9 Author: Russ Allbery Date: Thu Jun 27 13:14:02 2013 -0700 Add bug closer for 1.7.2-1 upload diff --git a/debian/changelog b/debian/changelog index c24cb32..9f31663 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,7 +5,7 @@ xml-security-c (1.7.2-1) experimental; urgency=high possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Fix that heap - overflow. (CVE-2013-2210) + overflow. (Closes: #714241, CVE-2013-2210) -- Russ Allbery Thu, 27 Jun 2013 13:00:54 -0700 -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:26 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:26 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, jessie, updated. debian/1.6.1-6-1-gf9f730c Message-ID: The following commit has been merged in the jessie branch: commit f9f730ceedd3d4867eb23324080a68201da8fd75 Author: Russ Allbery Date: Thu Jun 27 13:45:14 2013 -0700 Apply upstream patch for heap overflow (CVE-2013-2210) * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) diff --git a/debian/changelog b/debian/changelog index 350017f..6895f69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +xml-security-c (1.6.1-7) unstable; urgency=high + + * The attempted fix to address CVE-2013-2154 introduced the possibility + of a heap overflow, possibly leading to arbitrary code execution, in + the processing of malformed XPointer expressions in the XML Signature + Reference processing code. Apply upstream patch to fix that heap + overflow. (Closes: #714241, CVE-2013-2210) + + -- Russ Allbery Thu, 27 Jun 2013 13:44:56 -0700 + xml-security-c (1.6.1-6) unstable; urgency=high * Apply upstream patch to fix a spoofing vulnerability that allows an diff --git a/xsec/dsig/DSIGReference.cpp b/xsec/dsig/DSIGReference.cpp index 36c9d39..19c1a20 100644 --- a/xsec/dsig/DSIGReference.cpp +++ b/xsec/dsig/DSIGReference.cpp @@ -529,10 +529,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc, xsecsize_t j = 14, i = 0; // Have an ID - while (URI[j] != '\'') { + while (i < len && URI[j] != '\'') { tmp[i++] = URI[j++]; } + tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull; + + if (URI[j] != '\'') { + throw XSECException(XSECException::UnsupportedXpointerExpr); + } to->setInput(doc, tmp); -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:28 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:28 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, pristine-tar, updated. 21dbc21ee68eba6383a5cd1c99abb1392d6bc2e5 Message-ID: The following commit has been merged in the pristine-tar branch: commit 21dbc21ee68eba6383a5cd1c99abb1392d6bc2e5 Author: Russ Allbery Date: Thu Jun 27 12:49:49 2013 -0700 pristine-tar data for xml-security-c_1.7.2.orig.tar.gz diff --git a/xml-security-c_1.7.2.orig.tar.gz.delta b/xml-security-c_1.7.2.orig.tar.gz.delta new file mode 100644 index 0000000..d5226ec Binary files /dev/null and b/xml-security-c_1.7.2.orig.tar.gz.delta differ diff --git a/xml-security-c_1.7.2.orig.tar.gz.id b/xml-security-c_1.7.2.orig.tar.gz.id new file mode 100644 index 0000000..ffd4a0b --- /dev/null +++ b/xml-security-c_1.7.2.orig.tar.gz.id @@ -0,0 +1 @@ +363105c7fcbc6a30b1310c84e1195277197eaa6f -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:34 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:34 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.6.1-7, created. debian/1.6.1-7 Message-ID: The annotated tag, debian/1.6.1-7 has been created at 5692fe3ac50133e9e8af2c3fc5cf350bed41011f (tag) tagging f9f730ceedd3d4867eb23324080a68201da8fd75 (commit) replaces debian/1.6.1-6 tagged by Russ Allbery on Thu Jun 27 13:53:03 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.6.1-7 Format: 1.8 Date: Thu, 27 Jun 2013 13:44:56 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-7 Distribution: unstable Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-7) unstable; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 00bfb2fe2d2610247399a92d25be1b6741fb1894 1785 xml-security-c_1.6.1-7.dsc 88bab9e767cbba07ad789b245547fcfcc461a096 12009 xml-security-c_1.6.1-7.debian.tar.gz 7fc0b8e1da45668cfc87100eb5217643a3a8bfca 359686 libxml-security-c16_1.6.1-7_i386.deb 58f871c561ee58e67ccfa167404bf9d4bc641917 151294 libxml-security-c-dev_1.6.1-7_i386.deb Checksums-Sha256: 2b9323dc02ceb2705fc22395dcd4e170f72c8cc3bea321689c69d86c02a09774 1785 xml-security-c_1.6.1-7.dsc dc9308b535a57592ae450c8374be2eb6081d539c1f64d44c79ab11095153555b 12009 xml-security-c_1.6.1-7.debian.tar.gz 82342fc3a0982d62e5fbf0a2a2eb089747f9ae4a8dc1dde7cbbcceb83fdce1be 359686 libxml-security-c16_1.6.1-7_i386.deb a9530bad8d09482a79ea7322bd1c422fd6156e4c0480b6893a2f27cdb6e9eab7 151294 libxml-security-c-dev_1.6.1-7_i386.deb Files: 094bf36076fe14078fe156029ec8a981 1785 libs extra xml-security-c_1.6.1-7.dsc 2818b708f8525ede455dfa57f768c2a5 12009 libs extra xml-security-c_1.6.1-7.debian.tar.gz 2526c149389b0d418653aaf56036cd2e 359686 libs extra libxml-security-c16_1.6.1-7_i386.deb 153a8eee6ee8d937e6a66ae331b579cf 151294 libdevel extra libxml-security-c-dev_1.6.1-7_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRzKY/AAoJEH2AMVxXNt51LS4H/023Igtch70RMZr06nzQ/9rV 2WwbvTD4GQc9G/zGXReiM+p1+FaK/x9SxcoTKBTCT7Iq6EQAzPoyu0b8YA3BZEN9 iF2EfZV5KL28JoPbQ7m145a8Nw61lFYxivgCFyk+KaV6Kq/K207Gf14glD7OjiJp aSPvOZlz/912fHkttrA9csm2Yvk71kz4T4g0ZpR3D7LU5u7hPiospQPjlS0qmnfL jPmlIFW+2Iu0zAE6C7Q/twFWP2I8szstTovNuSvIzbdX3xOEkE46QRgFhE7LhnDs VhKk6qACw/cNRyl/DuqTrhyj3xs2jbeSmvUlOWUrey4nbJjC9WvP+GjUPqjrPRU= =Wqvh -----END PGP SIGNATURE----- Russ Allbery (1): Apply upstream patch for heap overflow (CVE-2013-2210) ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:34 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:34 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.7.2-1, created. debian/1.7.2-1 Message-ID: The annotated tag, debian/1.7.2-1 has been created at 43a23873db2362ec34813802895b21343e7dd26a (tag) tagging 071f1b6af9fff1d57218bf1b5e58ddf0b0d1acb9 (commit) replaces debian/1.7.1-1 tagged by Russ Allbery on Thu Jun 27 13:18:58 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.7.2-1 Format: 1.8 Date: Thu, 27 Jun 2013 13:00:54 -0700 Source: xml-security-c Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils Architecture: source i386 Version: 1.7.2-1 Distribution: experimental Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Closes: 714241 Changes: xml-security-c (1.7.2-1) experimental; urgency=high . * New upstream release. - The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 102e42adebe2afad634ca4f41a9d615fc04914af 1301 xml-security-c_1.7.2-1.dsc fee59d5347ff0666802c8e5aa729e0304ee492bc 875465 xml-security-c_1.7.2.orig.tar.gz 37f7cecc570e7f0e83a09c1a1c301a62b53f4140 12024 xml-security-c_1.7.2-1.debian.tar.xz 7d9a425c3fae7bd8d7b193be726ee4af383ac969 279102 libxml-security-c17_1.7.2-1_i386.deb 87a7de0704530cc794b8e86643dbd3091274fa2a 110818 libxml-security-c-dev_1.7.2-1_i386.deb 449e2a02058dc840e04a85e81d144d05d8249d25 120508 xml-security-c-utils_1.7.2-1_i386.deb Checksums-Sha256: 3fa1097536fee29a051b166f0737aee41a0daca84cbee1420c069b84243f263b 1301 xml-security-c_1.7.2-1.dsc d576b07bb843eaebfde3be01301db40504ea8e8e477c0ad5f739b07022445452 875465 xml-security-c_1.7.2.orig.tar.gz 50e9ce850a35457602edbaddee58b0ecccfdabee2515f1a2ecb6655752da667c 12024 xml-security-c_1.7.2-1.debian.tar.xz 7b0ce19c4e77d366754dbb8cb814db3d967884e61b0a0b9730c2e999126cb809 279102 libxml-security-c17_1.7.2-1_i386.deb bd5f0d2acabed65cd24fa22d26f9e5c07ab074d2dd95344119ee39da89bee967 110818 libxml-security-c-dev_1.7.2-1_i386.deb aec9ba52f52837a02fc469e5036bf2c2b82d29aaf25cc315ad198c3ef7b64b86 120508 xml-security-c-utils_1.7.2-1_i386.deb Files: 2095e7523e8c5e1046f652e1ab6c51d7 1301 libs extra xml-security-c_1.7.2-1.dsc 2487e00569f6465f7070389e40a3d84f 875465 libs extra xml-security-c_1.7.2.orig.tar.gz 0672e72dce6d315bdda2a1bb34fc8a08 12024 libs extra xml-security-c_1.7.2-1.debian.tar.xz 473dfed2707bd4a2569991fc66321ac6 279102 libs extra libxml-security-c17_1.7.2-1_i386.deb 1fd67612c8653987583d6d4282843596 110818 libdevel extra libxml-security-c-dev_1.7.2-1_i386.deb 8b391edddc3e08cd1af8fd82ca5a854b 120508 utils extra xml-security-c-utils_1.7.2-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRzJ46AAoJEH2AMVxXNt51S6QH/A0A4ZUXQxDSjsA4pg27buZ2 X4DzuaN2P4/xEQWVjBKlAqFKbscFJuymHeVwjBurC90vhQjeFFZLhqlOH57+ea4w SvMDW4x6SzDWQ2ZNftx8hpWdEgK/CTFRY+xYWJlmb4Utse1g2vpPeAyA0WchQYMV V+gTk5Tw13vNfrSr0xXJ9wVB72kJyiPYEQSgDHwYSxDPW4nZQPEkSP0kC1NYYe63 mQOB8I7ZY7V+igRsFlu91CXiqpJUX5cg3IlaL9t7o/lVU6xUUA7KogOqOyJUaez7 6HTaFt86tEujngF4VjY9RLN1kEBl0JXYdjIvOYlTjZS6LFPQRwXEAOsi1K6nfBE= =y/6c -----END PGP SIGNATURE----- Russ Allbery (5): Imported Upstream version 1.7.2 Merge tag 'upstream/1.7.2' Add changelog for upstream 1.7.2 release Finalize changes for 1.7.2-1 Add bug closer for 1.7.2-1 upload ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Thu Jun 27 20:53:34 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 20:53:34 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, upstream/1.7.2, created. upstream/1.7.2 Message-ID: The annotated tag, upstream/1.7.2 has been created at ccdc7c8e71e4c157e61b70f46f76943f4e4c999e (tag) tagging fb529b476e4fb5544134b1223cb9102a25705790 (commit) replaces upstream/1.7.1 tagged by Russ Allbery on Thu Jun 27 12:49:49 2013 -0700 - Shortlog ------------------------------------------------------------ Upstream version 1.7.2 Russ Allbery (1): Imported Upstream version 1.7.2 ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From ftpmaster at ftp-master.debian.org Thu Jun 27 20:57:08 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 27 Jun 2013 20:57:08 +0000 Subject: Processing of xml-security-c_1.6.1-7_i386.changes Message-ID: xml-security-c_1.6.1-7_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.6.1-7.dsc xml-security-c_1.6.1-7.debian.tar.gz libxml-security-c16_1.6.1-7_i386.deb libxml-security-c-dev_1.6.1-7_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Thu Jun 27 21:05:23 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 27 Jun 2013 21:05:23 +0000 Subject: xml-security-c_1.6.1-7_i386.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:44:56 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-7 Distribution: unstable Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-7) unstable; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 00bfb2fe2d2610247399a92d25be1b6741fb1894 1785 xml-security-c_1.6.1-7.dsc 88bab9e767cbba07ad789b245547fcfcc461a096 12009 xml-security-c_1.6.1-7.debian.tar.gz 7fc0b8e1da45668cfc87100eb5217643a3a8bfca 359686 libxml-security-c16_1.6.1-7_i386.deb 58f871c561ee58e67ccfa167404bf9d4bc641917 151294 libxml-security-c-dev_1.6.1-7_i386.deb Checksums-Sha256: 2b9323dc02ceb2705fc22395dcd4e170f72c8cc3bea321689c69d86c02a09774 1785 xml-security-c_1.6.1-7.dsc dc9308b535a57592ae450c8374be2eb6081d539c1f64d44c79ab11095153555b 12009 xml-security-c_1.6.1-7.debian.tar.gz 82342fc3a0982d62e5fbf0a2a2eb089747f9ae4a8dc1dde7cbbcceb83fdce1be 359686 libxml-security-c16_1.6.1-7_i386.deb a9530bad8d09482a79ea7322bd1c422fd6156e4c0480b6893a2f27cdb6e9eab7 151294 libxml-security-c-dev_1.6.1-7_i386.deb Files: 094bf36076fe14078fe156029ec8a981 1785 libs extra xml-security-c_1.6.1-7.dsc 2818b708f8525ede455dfa57f768c2a5 12009 libs extra xml-security-c_1.6.1-7.debian.tar.gz 2526c149389b0d418653aaf56036cd2e 359686 libs extra libxml-security-c16_1.6.1-7_i386.deb 153a8eee6ee8d937e6a66ae331b579cf 151294 libdevel extra libxml-security-c-dev_1.6.1-7_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzKYiAAoJEH2AMVxXNt51WL0H/jG3B/qEKrDXDtuViCeU/7ke ez8KhhY7gmTojUl+qY0X5xkjnH50dpCBh+0HmmPwDodyRjAeHH+vnVmbOX/Sfaea 5DBLHuq6+eF0f/9Zlwxx6/xkO5z/wzjpxA9aOiTOKK99WO145PBshvVacmK2vt4I vblFWXr3Cmo7i1YMqbqXNhAGFGm8mvFUI5/+X9KjquqkOHzw8gupsy5nN7TxWOep Dmvuen9GC+ce+8U1AONZJ1ZcOGqFk+rd264BkpgqQCsr4CetJ5Qlr5x0gD6Q9419 tvEf36pE0oRI1wdLmMhuSzOroaTSuPY4XrOd4c0adYXwXKhNu3OfcHodtERwcT8= =c4fI -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Thu Jun 27 21:05:33 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 27 Jun 2013 21:05:33 +0000 Subject: xml-security-c_1.7.2-1_i386.changes ACCEPTED into experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:00:54 -0700 Source: xml-security-c Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils Architecture: source i386 Version: 1.7.2-1 Distribution: experimental Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Closes: 714241 Changes: xml-security-c (1.7.2-1) experimental; urgency=high . * New upstream release. - The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: eea2280cf4b9542193e1ec78af1736e700168355 1841 xml-security-c_1.7.2-1.dsc fee59d5347ff0666802c8e5aa729e0304ee492bc 875465 xml-security-c_1.7.2.orig.tar.gz 37f7cecc570e7f0e83a09c1a1c301a62b53f4140 12024 xml-security-c_1.7.2-1.debian.tar.xz 7d9a425c3fae7bd8d7b193be726ee4af383ac969 279102 libxml-security-c17_1.7.2-1_i386.deb 87a7de0704530cc794b8e86643dbd3091274fa2a 110818 libxml-security-c-dev_1.7.2-1_i386.deb 449e2a02058dc840e04a85e81d144d05d8249d25 120508 xml-security-c-utils_1.7.2-1_i386.deb Checksums-Sha256: c22ae064be9b7b681cf4c6497ad6ef3649f24c5497d698ea9d07ac5f35a26710 1841 xml-security-c_1.7.2-1.dsc d576b07bb843eaebfde3be01301db40504ea8e8e477c0ad5f739b07022445452 875465 xml-security-c_1.7.2.orig.tar.gz 50e9ce850a35457602edbaddee58b0ecccfdabee2515f1a2ecb6655752da667c 12024 xml-security-c_1.7.2-1.debian.tar.xz 7b0ce19c4e77d366754dbb8cb814db3d967884e61b0a0b9730c2e999126cb809 279102 libxml-security-c17_1.7.2-1_i386.deb bd5f0d2acabed65cd24fa22d26f9e5c07ab074d2dd95344119ee39da89bee967 110818 libxml-security-c-dev_1.7.2-1_i386.deb aec9ba52f52837a02fc469e5036bf2c2b82d29aaf25cc315ad198c3ef7b64b86 120508 xml-security-c-utils_1.7.2-1_i386.deb Files: f142b0bd9081ecc5cdd50007410ef9cf 1841 libs extra xml-security-c_1.7.2-1.dsc 2487e00569f6465f7070389e40a3d84f 875465 libs extra xml-security-c_1.7.2.orig.tar.gz 0672e72dce6d315bdda2a1bb34fc8a08 12024 libs extra xml-security-c_1.7.2-1.debian.tar.xz 473dfed2707bd4a2569991fc66321ac6 279102 libs extra libxml-security-c17_1.7.2-1_i386.deb 1fd67612c8653987583d6d4282843596 110818 libdevel extra libxml-security-c-dev_1.7.2-1_i386.deb 8b391edddc3e08cd1af8fd82ca5a854b 120508 utils extra xml-security-c-utils_1.7.2-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzJ5BAAoJEH2AMVxXNt51kZ8H+wR6GrybFrKzrYyh9UQ0pacr QZFq5fAEyNtcoCt2eIkYFzNQIWuV4CWxvmok/+I65t3exrfFd3ZfJQ9lA1I3SKPL zTWRGYkU6T3hovEO4fzTX8LoxUsDCrIeYhzDsD3j9pYj7yK4SikVs7zVfIyrL5lv yr5iLzcmr/I0TqFmGwjzK3NhkKCYCBHdAHIFCIjv+81vl6PNpo/NPZl26em+KmHA JTMhO08Sae1/xwYuxgLEhJvTEK1dMhN7vAPPzcGN/UxHzvsjHE7HTSkWbKaNfXwM WYbnqvAa9l0kv9V8sQOUBnXPk2W2RROZwIJgt9OmCNCBZ4jOWbRECHoiPiSG5L8= =YXbC -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Thu Jun 27 21:09:09 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 27 Jun 2013 21:09:09 +0000 Subject: Bug#714241: marked as done (xml-security-c: CVE-2013-2210) References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: Your message dated Thu, 27 Jun 2013 21:05:23 +0000 with message-id and subject line Bug#714241: fixed in xml-security-c 1.6.1-7 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Salvatore Bonaccorso Subject: xml-security-c: CVE-2013-2210 Date: Thu, 27 Jun 2013 09:01:26 +0200 Size: 2333 URL: -------------- next part -------------- An embedded message was scrubbed... From: Russ Allbery Subject: Bug#714241: fixed in xml-security-c 1.6.1-7 Date: Thu, 27 Jun 2013 21:05:23 +0000 Size: 5161 URL: From owner at bugs.debian.org Thu Jun 27 21:09:13 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 27 Jun 2013 21:09:13 +0000 Subject: Bug#714241: marked as done (xml-security-c: CVE-2013-2210) References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: Your message dated Thu, 27 Jun 2013 21:05:34 +0000 with message-id and subject line Bug#714241: fixed in xml-security-c 1.7.2-1 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Salvatore Bonaccorso Subject: xml-security-c: CVE-2013-2210 Date: Thu, 27 Jun 2013 09:01:26 +0200 Size: 2333 URL: -------------- next part -------------- An embedded message was scrubbed... From: Russ Allbery Subject: Bug#714241: fixed in xml-security-c 1.7.2-1 Date: Thu, 27 Jun 2013 21:05:34 +0000 Size: 5815 URL: From rra at debian.org Thu Jun 27 22:29:42 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 15:29:42 -0700 Subject: Bug#714241: xml-security-c: CVE-2013-2210 In-Reply-To: <20130627070126.5451.9078.reportbug@elende.valinor.li> (Salvatore Bonaccorso's message of "Thu, 27 Jun 2013 09:01:26 +0200") References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: <87mwqbw5k9.fsf@windlord.stanford.edu> Salvatore Bonaccorso writes: > Could you double check this, and prepare packages for squeeze and > wheezy too? I've uploaded fixed versions for experimental and unstable. Here are the debdiff patches for wheezy and squeeze. Permission to upload to the security queue? Please note that Shibboleth doesn't exercise this part of the code, so I don't personally have any application that tests this part of the library. However, the upstream change is fairly simple. -- Russ Allbery (rra at debian.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: squeeze.diff Type: text/x-diff Size: 1385 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wheezy.diff Type: text/x-diff Size: 3538 bytes Desc: not available URL: From carnil at debian.org Fri Jun 28 04:54:38 2013 From: carnil at debian.org (Salvatore Bonaccorso) Date: Fri, 28 Jun 2013 06:54:38 +0200 Subject: Bug#714241: xml-security-c: CVE-2013-2210 In-Reply-To: <87mwqbw5k9.fsf@windlord.stanford.edu> References: <20130627070126.5451.9078.reportbug@elende.valinor.li> <87mwqbw5k9.fsf@windlord.stanford.edu> Message-ID: <20130628045438.GA15175@elende> Hi Russ, On Thu, Jun 27, 2013 at 03:29:42PM -0700, Russ Allbery wrote: > Salvatore Bonaccorso writes: > > > Could you double check this, and prepare packages for squeeze and > > wheezy too? > > I've uploaded fixed versions for experimental and unstable. Here are the > debdiff patches for wheezy and squeeze. Permission to upload to the > security queue? > > Please note that Shibboleth doesn't exercise this part of the code, so I > don't personally have any application that tests this part of the > library. However, the upstream change is fairly simple. Looks good. Yes please upload to security-master both. Thanks for your quick update. Regards, Salvatore From rra at debian.org Fri Jun 28 04:58:15 2013 From: rra at debian.org (Russ Allbery) Date: Thu, 27 Jun 2013 21:58:15 -0700 Subject: Bug#714241: xml-security-c: CVE-2013-2210 In-Reply-To: <20130628045438.GA15175@elende> (Salvatore Bonaccorso's message of "Fri, 28 Jun 2013 06:54:38 +0200") References: <20130627070126.5451.9078.reportbug@elende.valinor.li> <87mwqbw5k9.fsf@windlord.stanford.edu> <20130628045438.GA15175@elende> Message-ID: <87mwqa3k7s.fsf@windlord.stanford.edu> Salvatore Bonaccorso writes: > Looks good. Yes please upload to security-master both. > Thanks for your quick update. Done. Thank you for handling security issues! -- Russ Allbery (rra at debian.org) From rra at debian.org Fri Jun 28 05:17:37 2013 From: rra at debian.org (Russ Allbery) Date: Fri, 28 Jun 2013 05:17:37 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, wheezy, updated. debian/1.6.1-5+deb7u1-1-gc27bcf6 Message-ID: The following commit has been merged in the wheezy branch: commit c27bcf6c347c9c1b8b15e68bf837c3b9cab0c347 Author: Russ Allbery Date: Thu Jun 27 13:54:30 2013 -0700 Apply upstream patch for heap overflow (CVE-2013-2210) * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) diff --git a/debian/changelog b/debian/changelog index dad6533..9737cdf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high + + * The attempted fix to address CVE-2013-2154 introduced the possibility + of a heap overflow, possibly leading to arbitrary code execution, in + the processing of malformed XPointer expressions in the XML Signature + Reference processing code. Apply upstream patch to fix that heap + overflow. (Closes: #714241, CVE-2013-2210) + + -- Russ Allbery Thu, 27 Jun 2013 13:54:03 -0700 + xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high * Apply upstream patch to fix a spoofing vulnerability that allows an diff --git a/xsec/dsig/DSIGReference.cpp b/xsec/dsig/DSIGReference.cpp index 36c9d39..19c1a20 100644 --- a/xsec/dsig/DSIGReference.cpp +++ b/xsec/dsig/DSIGReference.cpp @@ -529,10 +529,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc, xsecsize_t j = 14, i = 0; // Have an ID - while (URI[j] != '\'') { + while (i < len && URI[j] != '\'') { tmp[i++] = URI[j++]; } + tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull; + + if (URI[j] != '\'') { + throw XSECException(XSECException::UnsupportedXpointerExpr); + } to->setInput(doc, tmp); -- Debian packaging for XML-Security-C From rra at debian.org Fri Jun 28 05:17:37 2013 From: rra at debian.org (Russ Allbery) Date: Fri, 28 Jun 2013 05:17:37 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, squeeze, updated. debian/1.5.1-3+squeeze2-1-gc6cbb5d Message-ID: The following commit has been merged in the squeeze branch: commit c6cbb5d6572015e65f9b916429d8303571d06af1 Author: Russ Allbery Date: Thu Jun 27 15:15:37 2013 -0700 Apply upstream patch for heap overflow (CVE-2013-2210) * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) diff --git a/debian/changelog b/debian/changelog index f863265..d783b3d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high + + * The attempted fix to address CVE-2013-2154 introduced the possibility + of a heap overflow, possibly leading to arbitrary code execution, in + the processing of malformed XPointer expressions in the XML Signature + Reference processing code. Apply upstream patch to fix that heap + overflow. (Closes: #714241, CVE-2013-2210) + + -- Russ Allbery Thu, 27 Jun 2013 15:15:18 -0700 + xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high * Apply upstream patch to fix a spoofing vulnerability that allows an diff --git a/src/dsig/DSIGReference.cpp b/src/dsig/DSIGReference.cpp index a6cc179..cc2c046 100644 --- a/src/dsig/DSIGReference.cpp +++ b/src/dsig/DSIGReference.cpp @@ -501,10 +501,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc, xsecsize_t j = 14, i = 0; // Have an ID - while (URI[j] != '\'') { + while (i < len && URI[j] != '\'') { tmp[i++] = URI[j++]; } + tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull; + + if (URI[j] != '\'') { + throw XSECException(XSECException::UnsupportedXpointerExpr); + } to->setInput(doc, tmp); -- Debian packaging for XML-Security-C From rra at debian.org Fri Jun 28 05:17:43 2013 From: rra at debian.org (Russ Allbery) Date: Fri, 28 Jun 2013 05:17:43 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.5.1-3+squeeze3, created. debian/1.5.1-3+squeeze3 Message-ID: The annotated tag, debian/1.5.1-3+squeeze3 has been created at 3a4df75b069b005e5c920404215e6f746ba53430 (tag) tagging c6cbb5d6572015e65f9b916429d8303571d06af1 (commit) replaces debian/1.5.1-3+squeeze2 tagged by Russ Allbery on Thu Jun 27 21:56:22 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.5.1-3+squeeze3 Format: 1.8 Date: Thu, 27 Jun 2013 15:15:18 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze3 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 2a80886cd3e7cdaf9b949c72c6ffe503d7c4f427 1130 xml-security-c_1.5.1-3+squeeze3.dsc 0baa3d982be6e10174b3c44ec6fdbe5844ccefd4 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz d6ad35760bc00e601e1f57b2dcccde1b9279c716 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 40f1e58a8c278dacca0a9f6ccbb2499aad20148c 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Checksums-Sha256: e42a83c4a6484ec6e73743683332a395191998d1df761e1a88c2e76c0ca6ffbd 1130 xml-security-c_1.5.1-3+squeeze3.dsc b1e4d83a267a40316e30f1b961b51e7cb7a9b2b7fb82929f2cfb396136936b1f 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz 887e28919a86e19cbdd6a496ed06c9b366366374ae00a78a8637da7f1b2397d3 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 956a172a4debd28ef6cc61b7b3803a72f65bf9357fb4c4f9eec7b5444f254e66 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Files: ed1ad13b816a5d23a108f3d984f41293 1130 libs extra xml-security-c_1.5.1-3+squeeze3.dsc d224b034021957819fa8f08f3058a971 11620 libs extra xml-security-c_1.5.1-3+squeeze3.diff.gz 7e60f8d3ffe67987d98a773986d985b2 353922 libs extra libxml-security-c15_1.5.1-3+squeeze3_i386.deb c0fc7af171374aa6e1ba762d797460ff 141932 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRzReGAAoJEH2AMVxXNt51JwsH/0BaCjJFEgNuV11jFexLvlby PvnjNMYZFHXWl3v5OmqZIizgk9QQ74wIMxDkdYG1/T9VcsFT7W1tKH4q1kYGvtk6 s8Z97GaeDdqtvrRN4Nh20hBTK3h79c00ktVijgSiHpBqwRyT3FiHhjvNq55g4qW3 Q+ebqouFdqxZ6RucOzE/pd93gR4LAk1K7AvIiFMkvDd5qubR+y2dQlPf32wiF2Cf 0/SHqvT4C1+WF+aJHDkP2JoER1MdZfcSHLGVz5nl4VW8cyxYpgmUwJ5jBp4KqUxY Em65oqv06p7qfWZ2VJi0bgDnBDTltkPbD9ZsE4u2mzFPHCIDV+Q+2/pCC1W8oOk= =0l3D -----END PGP SIGNATURE----- Russ Allbery (1): Apply upstream patch for heap overflow (CVE-2013-2210) ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From rra at debian.org Fri Jun 28 05:17:43 2013 From: rra at debian.org (Russ Allbery) Date: Fri, 28 Jun 2013 05:17:43 +0000 Subject: [SCM] Debian packaging for XML-Security-C annotated tag, debian/1.6.1-5+deb7u2, created. debian/1.6.1-5+deb7u2 Message-ID: The annotated tag, debian/1.6.1-5+deb7u2 has been created at 2f9cc02bd63137b565373ed7c3fe43cccd582057 (tag) tagging c27bcf6c347c9c1b8b15e68bf837c3b9cab0c347 (commit) replaces debian/1.6.1-5+deb7u1 tagged by Russ Allbery on Thu Jun 27 15:13:53 2013 -0700 - Shortlog ------------------------------------------------------------ Debian release 1.6.1-5+deb7u2 Format: 1.8 Date: Thu, 27 Jun 2013 13:54:03 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u2 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 977b62ef10f823f351d16708885d112666b53e2c 1273 xml-security-c_1.6.1-5+deb7u2.dsc ba7f9c8b5c122ea213ab6b880e13952cace2b36f 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 6c3d73f2d99f2f6b1f6c7ba97820209f17d64437 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 7a4a814816050ca5d6e62d67ad17fce18dc7b460 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Checksums-Sha256: 59988f7b72662a08e7d0f880d5141d2265d69bd03437058b056a60a2429060bc 1273 xml-security-c_1.6.1-5+deb7u2.dsc c0218aa7181316be9fa44753b09c81c5a327e5d6ed01d533f462a37325723789 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 05fdb7667ce34abb7cf2b7f3ea0f38820b4d6cbda9cd153842be9470079be733 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8f14e1257df217c479fddd63aaaa7345a772a1f359faf4e6f18beb1bc6170947 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Files: abe39951fe713be307cd157ebf0fa964 1273 libs extra xml-security-c_1.6.1-5+deb7u2.dsc ab3cf5ffdde120bbdf4aebd3c88bb9c9 12013 libs extra xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 95959ea297072b19617efd9757b34182 375560 libs extra libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8ae52f2ded56659e2e1e984a62b3a55c 151332 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABCAAGBQJRzLkuAAoJEH2AMVxXNt51FCkH/iXrT+tn2z0R48Oe8wd3BY2z VN/0iwf3F42RQI7Mjqv7+QEiEErtxes/yX+xI/iv5SWGd5odJ8Qv+j9apCib/ctZ OKlA9cO0L2latn20lwRjYp4JdG+URVs+HCQhdxmJj0MKguSgATHgALggnJL4cPF1 PIKaBa3Tdv6ZB2+EkEZqvkrQvlOB5dUJMDwHnW7XOqQTR5Rqiw2fkmvdilvFlGro aEzwRNjsQxxLtpfSGpBSqFtNAQJ1BlD1Knc4IaEsWl3sBY5YGQ2sR9UqsPeavk4Q emsV6byD0HxiBVLq304EG0l0A4dlrVDcST+HgtWhDxk5NDX+bFzhlFzV3iJ4q7U= =x3FN -----END PGP SIGNATURE----- Russ Allbery (1): Apply upstream patch for heap overflow (CVE-2013-2210) ----------------------------------------------------------------------- -- Debian packaging for XML-Security-C From ftpmaster at ftp-master.debian.org Fri Jun 28 15:24:43 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 28 Jun 2013 15:24:43 +0000 Subject: Processing of xml-security-c_1.6.1-5+deb7u2_i386.changes Message-ID: xml-security-c_1.6.1-5+deb7u2_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.6.1-5+deb7u2.dsc xml-security-c_1.6.1-5+deb7u2.debian.tar.gz libxml-security-c16_1.6.1-5+deb7u2_i386.deb libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Fri Jun 28 15:24:45 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 28 Jun 2013 15:24:45 +0000 Subject: Processing of xml-security-c_1.5.1-3+squeeze3_i386.changes Message-ID: xml-security-c_1.5.1-3+squeeze3_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.5.1-3+squeeze3.dsc xml-security-c_1.5.1-3+squeeze3.diff.gz libxml-security-c15_1.5.1-3+squeeze3_i386.deb libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Fri Jun 28 15:49:12 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 28 Jun 2013 15:49:12 +0000 Subject: xml-security-c_1.5.1-3+squeeze3_i386.changes ACCEPTED into oldstable-proposed-updates->oldstable-new Message-ID: Mapping oldstable-security to oldstable-proposed-updates. Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 15:15:18 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze3 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 8ab33f3e4f2f86f2400a900d97850dc11b0b2b67 1670 xml-security-c_1.5.1-3+squeeze3.dsc 0baa3d982be6e10174b3c44ec6fdbe5844ccefd4 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz d6ad35760bc00e601e1f57b2dcccde1b9279c716 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 40f1e58a8c278dacca0a9f6ccbb2499aad20148c 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Checksums-Sha256: b631057a640a9df2bfe292e971ce064028acfe4bc6cdb17e670408c9f4b43dde 1670 xml-security-c_1.5.1-3+squeeze3.dsc b1e4d83a267a40316e30f1b961b51e7cb7a9b2b7fb82929f2cfb396136936b1f 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz 887e28919a86e19cbdd6a496ed06c9b366366374ae00a78a8637da7f1b2397d3 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 956a172a4debd28ef6cc61b7b3803a72f65bf9357fb4c4f9eec7b5444f254e66 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Files: 844929bf53f34c0ebc97c54bcd9f484b 1670 libs extra xml-security-c_1.5.1-3+squeeze3.dsc d224b034021957819fa8f08f3058a971 11620 libs extra xml-security-c_1.5.1-3+squeeze3.diff.gz 7e60f8d3ffe67987d98a773986d985b2 353922 libs extra libxml-security-c15_1.5.1-3+squeeze3_i386.deb c0fc7af171374aa6e1ba762d797460ff 141932 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzRfJAAoJEH2AMVxXNt51a0MH/3kUSswfHZwIVkDc9hLbsjgV 2MGL2/K0kPyUSahax86julJCT/flNFlalve3baSlSKW+0bxCz+LEvwdf3Kn2za1g j5K/eNtr4U6M4CeUXV0aPydyRK3NymsPUBim30mTSTLHFCLXfbGCAicnzb99A7LD iaX8Pt2PVkefRm7kcw3BZx/ukPtcb/CKiZf9BeFuDkiWcKQGNyDcI2Z4uEiT+hKj jBZEZICkvnF70oVd286PlHyuThLwXHAj4bJZgRONGZr2RXAomDP6BqYTfak1cQeZ wOO5/qMpnq8pgIV070tFEy6Nb6O1rJpw9ReJu+rMp4RDggBQE+bQld7a7IZNcVA= =vUUF -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Fri Jun 28 15:49:33 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 28 Jun 2013 15:49:33 +0000 Subject: xml-security-c_1.6.1-5+deb7u2_i386.changes ACCEPTED into proposed-updates->stable-new Message-ID: Mapping stable-security to proposed-updates. Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:54:03 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u2 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 69343ccfc8fb3368cd3bf5cb289897f2f9b655a2 1813 xml-security-c_1.6.1-5+deb7u2.dsc ba7f9c8b5c122ea213ab6b880e13952cace2b36f 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 6c3d73f2d99f2f6b1f6c7ba97820209f17d64437 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 7a4a814816050ca5d6e62d67ad17fce18dc7b460 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Checksums-Sha256: a5aaeff16e400d7351fde6903fb32733af8c38990365913d42923280cf9a39ec 1813 xml-security-c_1.6.1-5+deb7u2.dsc c0218aa7181316be9fa44753b09c81c5a327e5d6ed01d533f462a37325723789 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 05fdb7667ce34abb7cf2b7f3ea0f38820b4d6cbda9cd153842be9470079be733 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8f14e1257df217c479fddd63aaaa7345a772a1f359faf4e6f18beb1bc6170947 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Files: fd91e1b027e8af76e9260aa86a2c96cc 1813 libs extra xml-security-c_1.6.1-5+deb7u2.dsc ab3cf5ffdde120bbdf4aebd3c88bb9c9 12013 libs extra xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 95959ea297072b19617efd9757b34182 375560 libs extra libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8ae52f2ded56659e2e1e984a62b3a55c 151332 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzRelAAoJEH2AMVxXNt51XosIAJimFictwIv+bNuF0ruNq+de PcB3JFutC3hikV62nyEpT4/EBFGAF12NTAnESrqoEo2/nvwZvquPj3Yzbwg+SSfV Bp8o/KVPbo8k+uV5cpzQlaPgEg5BCgHy2XNoOakaoIjTQb3+5YeY1mAlWeT05248 6zxdQ2YzGxmdWEhT5+u2wW2LTMynNrbHM3qc0HIEBnCkwOnnOcCg+Z6Be7nHprv1 EPQOIA+wiAB+T5KVw0IOj1LV7OeH9unxKc19iOZ8l5H2NSqiVNPWmnkJwfsXKanU 9sDWsoxUZUCVd6pYqAV8JmgEdxyeff4xkIFzaV9Gvcm6ieUx8zHcfGFltFwEv1o= =Sa/6 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Sat Jun 29 10:47:22 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sat, 29 Jun 2013 10:47:22 +0000 Subject: xml-security-c_1.6.1-5+deb7u2_i386.changes ACCEPTED into proposed-updates->stable-new, proposed-updates Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 13:54:03 -0700 Source: xml-security-c Binary: libxml-security-c16 libxml-security-c-dev Architecture: source i386 Version: 1.6.1-5+deb7u2 Distribution: stable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c16 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 69343ccfc8fb3368cd3bf5cb289897f2f9b655a2 1813 xml-security-c_1.6.1-5+deb7u2.dsc ba7f9c8b5c122ea213ab6b880e13952cace2b36f 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 6c3d73f2d99f2f6b1f6c7ba97820209f17d64437 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 7a4a814816050ca5d6e62d67ad17fce18dc7b460 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Checksums-Sha256: a5aaeff16e400d7351fde6903fb32733af8c38990365913d42923280cf9a39ec 1813 xml-security-c_1.6.1-5+deb7u2.dsc c0218aa7181316be9fa44753b09c81c5a327e5d6ed01d533f462a37325723789 12013 xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 05fdb7667ce34abb7cf2b7f3ea0f38820b4d6cbda9cd153842be9470079be733 375560 libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8f14e1257df217c479fddd63aaaa7345a772a1f359faf4e6f18beb1bc6170947 151332 libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb Files: fd91e1b027e8af76e9260aa86a2c96cc 1813 libs extra xml-security-c_1.6.1-5+deb7u2.dsc ab3cf5ffdde120bbdf4aebd3c88bb9c9 12013 libs extra xml-security-c_1.6.1-5+deb7u2.debian.tar.gz 95959ea297072b19617efd9757b34182 375560 libs extra libxml-security-c16_1.6.1-5+deb7u2_i386.deb 8ae52f2ded56659e2e1e984a62b3a55c 151332 libdevel extra libxml-security-c-dev_1.6.1-5+deb7u2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzRelAAoJEH2AMVxXNt51XosIAJimFictwIv+bNuF0ruNq+de PcB3JFutC3hikV62nyEpT4/EBFGAF12NTAnESrqoEo2/nvwZvquPj3Yzbwg+SSfV Bp8o/KVPbo8k+uV5cpzQlaPgEg5BCgHy2XNoOakaoIjTQb3+5YeY1mAlWeT05248 6zxdQ2YzGxmdWEhT5+u2wW2LTMynNrbHM3qc0HIEBnCkwOnnOcCg+Z6Be7nHprv1 EPQOIA+wiAB+T5KVw0IOj1LV7OeH9unxKc19iOZ8l5H2NSqiVNPWmnkJwfsXKanU 9sDWsoxUZUCVd6pYqAV8JmgEdxyeff4xkIFzaV9Gvcm6ieUx8zHcfGFltFwEv1o= =Sa/6 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From ftpmaster at ftp-master.debian.org Sat Jun 29 10:48:03 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sat, 29 Jun 2013 10:48:03 +0000 Subject: xml-security-c_1.5.1-3+squeeze3_i386.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jun 2013 15:15:18 -0700 Source: xml-security-c Binary: libxml-security-c15 libxml-security-c-dev Architecture: source i386 Version: 1.5.1-3+squeeze3 Distribution: oldstable-security Urgency: high Maintainer: Debian Shib Team Changed-By: Russ Allbery Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c15 - C++ library for XML Digital Signatures (runtime) Closes: 714241 Changes: xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high . * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) Checksums-Sha1: 8ab33f3e4f2f86f2400a900d97850dc11b0b2b67 1670 xml-security-c_1.5.1-3+squeeze3.dsc 0baa3d982be6e10174b3c44ec6fdbe5844ccefd4 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz d6ad35760bc00e601e1f57b2dcccde1b9279c716 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 40f1e58a8c278dacca0a9f6ccbb2499aad20148c 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Checksums-Sha256: b631057a640a9df2bfe292e971ce064028acfe4bc6cdb17e670408c9f4b43dde 1670 xml-security-c_1.5.1-3+squeeze3.dsc b1e4d83a267a40316e30f1b961b51e7cb7a9b2b7fb82929f2cfb396136936b1f 11620 xml-security-c_1.5.1-3+squeeze3.diff.gz 887e28919a86e19cbdd6a496ed06c9b366366374ae00a78a8637da7f1b2397d3 353922 libxml-security-c15_1.5.1-3+squeeze3_i386.deb 956a172a4debd28ef6cc61b7b3803a72f65bf9357fb4c4f9eec7b5444f254e66 141932 libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb Files: 844929bf53f34c0ebc97c54bcd9f484b 1670 libs extra xml-security-c_1.5.1-3+squeeze3.dsc d224b034021957819fa8f08f3058a971 11620 libs extra xml-security-c_1.5.1-3+squeeze3.diff.gz 7e60f8d3ffe67987d98a773986d985b2 353922 libs extra libxml-security-c15_1.5.1-3+squeeze3_i386.deb c0fc7af171374aa6e1ba762d797460ff 141932 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJRzRfJAAoJEH2AMVxXNt51a0MH/3kUSswfHZwIVkDc9hLbsjgV 2MGL2/K0kPyUSahax86julJCT/flNFlalve3baSlSKW+0bxCz+LEvwdf3Kn2za1g j5K/eNtr4U6M4CeUXV0aPydyRK3NymsPUBim30mTSTLHFCLXfbGCAicnzb99A7LD iaX8Pt2PVkefRm7kcw3BZx/ukPtcb/CKiZf9BeFuDkiWcKQGNyDcI2Z4uEiT+hKj jBZEZICkvnF70oVd286PlHyuThLwXHAj4bJZgRONGZr2RXAomDP6BqYTfak1cQeZ wOO5/qMpnq8pgIV070tFEy6Nb6O1rJpw9ReJu+rMp4RDggBQE+bQld7a7IZNcVA= =vUUF -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Sat Jun 29 10:51:19 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 29 Jun 2013 10:51:19 +0000 Subject: Bug#714241: marked as done (xml-security-c: CVE-2013-2210) References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: Your message dated Sat, 29 Jun 2013 10:47:22 +0000 with message-id and subject line Bug#714241: fixed in xml-security-c 1.6.1-5+deb7u2 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Salvatore Bonaccorso Subject: xml-security-c: CVE-2013-2210 Date: Thu, 27 Jun 2013 09:01:26 +0200 Size: 2333 URL: -------------- next part -------------- An embedded message was scrubbed... From: Russ Allbery Subject: Bug#714241: fixed in xml-security-c 1.6.1-5+deb7u2 Date: Sat, 29 Jun 2013 10:47:22 +0000 Size: 5276 URL: From owner at bugs.debian.org Sat Jun 29 10:51:23 2013 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 29 Jun 2013 10:51:23 +0000 Subject: Bug#714241: marked as done (xml-security-c: CVE-2013-2210) References: <20130627070126.5451.9078.reportbug@elende.valinor.li> Message-ID: Your message dated Sat, 29 Jun 2013 10:48:03 +0000 with message-id and subject line Bug#714241: fixed in xml-security-c 1.5.1-3+squeeze3 has caused the Debian Bug report #714241, regarding xml-security-c: CVE-2013-2210 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 714241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714241 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Salvatore Bonaccorso Subject: xml-security-c: CVE-2013-2210 Date: Thu, 27 Jun 2013 09:01:26 +0200 Size: 2333 URL: -------------- next part -------------- An embedded message was scrubbed... From: Russ Allbery Subject: Bug#714241: fixed in xml-security-c 1.5.1-3+squeeze3 Date: Sat, 29 Jun 2013 10:48:03 +0000 Size: 5296 URL: From ftpmaster at ftp-master.debian.org Sat Jun 29 21:04:05 2013 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sat, 29 Jun 2013 21:04:05 +0000 Subject: Processing of xml-security-c_1.6.1-5+deb7u2~bpo60+1_i386.changes Message-ID: xml-security-c_1.6.1-5+deb7u2~bpo60+1_i386.changes uploaded successfully to localhost along with the files: xml-security-c_1.6.1-5+deb7u2~bpo60+1.dsc xml-security-c_1.6.1-5+deb7u2~bpo60+1.debian.tar.gz libxml-security-c16_1.6.1-5+deb7u2~bpo60+1_i386.deb libxml-security-c-dev_1.6.1-5+deb7u2~bpo60+1_i386.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From rra at debian.org Sat Jun 29 21:04:51 2013 From: rra at debian.org (Russ Allbery) Date: Sat, 29 Jun 2013 21:04:51 +0000 Subject: [SCM] Debian packaging for XML-Security-C branch, squeeze-backports, updated. debian/1.6.1-5+deb7u1_bpo60+1-1-gd82db95 Message-ID: The following commit has been merged in the squeeze-backports branch: commit d82db95a3446a89a9640948664e725f686332ec9 Author: Russ Allbery Date: Thu Jun 27 13:54:30 2013 -0700 Apply upstream patch for heap overflow (CVE-2013-2210) * The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Apply upstream patch to fix that heap overflow. (Closes: #714241, CVE-2013-2210) diff --git a/debian/changelog b/debian/changelog index c5cd705..6f12294 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xml-security-c (1.6.1-5+deb7u1~bpo60+1) squeeze-backports; urgency=high +xml-security-c (1.6.1-5+deb7u2~bpo60+1) squeeze-backports; urgency=high * Backport to oldstable. * Revert the change to use multiarch and force a non-multiarch libdir. @@ -6,6 +6,16 @@ xml-security-c (1.6.1-5+deb7u1~bpo60+1) squeeze-backports; urgency=high -- Russ Allbery