backporting CVE-2009-3300 fixes to 2.0 (was: Plans for Shibboleth SP 2.1 debian packages)
wferi at niif.hu
Thu Nov 5 18:57:56 UTC 2009
"Scott Cantor" <cantor.2 at osu.edu> writes:
> It's likely possible to come up with a backported fix that doesn't change
> the sonames, it just requires a lot more code duplication that I wasn't
> about to do upstream.
That sounds useful for me. How much work do you think that would be?
C++ isn't my strength, but does the problem stem from interface changes
introduced while fixing CPPXT-42 and CPPXT-43?
The security related problem with OpenSAML2 release seems to be
CPPOST-36, which is very self-contained and benign.
Are there other security issues whose fixes must be freshly backported
to 2.0? I'm not sure I'm reading Jira correctly.
More information about the Pkg-shibboleth-devel