backporting CVE-2009-3300 fixes to 2.0

Ferenc Wagner wferi at
Thu Nov 5 20:20:01 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> Ferenc Wagner wrote on 2009-11-05:
>> That sounds useful for me.  How much work do you think that would be?
> Moderate. It will still require changes to at least the SP and opensaml, but
> basically you drop something inline (or at least something static inside the
> affected binaries) that expands out the sanitizeURL method added to
> xmltooling::HTTPResponse in all the places it gets called.
> But part of the fix is parametrized via config option, and I don't think
> that's doable without a bump because the config is entirely inside the SP
> and there's code affected inside opensaml.
> Avoiding *that* would require just hardwiring the option within opensaml, or
> possibly getting more adventurous by moving the fix out of opensaml into the
> SP, requiring more work and analysis.

I see now, thanks.  This would probably be the fastest way forward, but
may get us into trouble with the next update, if that touches similar
parts of the code.  Russ' experience will probably decide.

>> Are there other security issues whose fixes must be freshly backported
>> to 2.0?  I'm not sure I'm reading Jira correctly.
> Jira can't be easily configured to expose security bugs once they're closed,
> the policy doesn't change at that point. The bug ID is SSPCPP-255 in the
> comments in svn.

Oh.  I was misled by the "security" component, which isn't a tag,
really.  My bad.

> I didn't want to flood people with information prematurely, but I can send
> you the diffs related to this bug across all three projects.

Please do so, that may help finding the best solution.

More information about the Pkg-shibboleth-devel mailing list