backporting CVE-2009-3300 fixes to 2.0 (was: Plans for Shibboleth SP 2.1 debian packages)
Ferenc Wagner
wferi at niif.hu
Thu Nov 5 18:57:56 UTC 2009
"Scott Cantor" <cantor.2 at osu.edu> writes:
> It's likely possible to come up with a backported fix that doesn't change
> the sonames, it just requires a lot more code duplication that I wasn't
> about to do upstream.
That sounds useful for me. How much work do you think that would be?
C++ isn't my strength, but does the problem stem from interface changes
introduced while fixing CPPXT-42 and CPPXT-43?
http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=648
http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=650
The security related problem with OpenSAML2 release seems to be
CPPOST-36, which is very self-contained and benign.
http://svn.middleware.georgetown.edu/view/cpp-opensaml2?view=rev&revision=508
Are there other security issues whose fixes must be freshly backported
to 2.0? I'm not sure I'm reading Jira correctly.
--
Thanks,
Feri.
More information about the Pkg-shibboleth-devel
mailing list