backporting CVE-2009-3300 fixes to 2.0 (was: Plans for Shibboleth SP 2.1 debian packages)

Ferenc Wagner wferi at
Thu Nov 5 18:57:56 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> It's likely possible to come up with a backported fix that doesn't change
> the sonames, it just requires a lot more code duplication that I wasn't
> about to do upstream.

That sounds useful for me.  How much work do you think that would be?
C++ isn't my strength, but does the problem stem from interface changes
introduced while fixing CPPXT-42 and CPPXT-43?

The security related problem with OpenSAML2 release seems to be
CPPOST-36, which is very self-contained and benign.

Are there other security issues whose fixes must be freshly backported
to 2.0?  I'm not sure I'm reading Jira correctly.

More information about the Pkg-shibboleth-devel mailing list