backporting CVE-2009-3300 fixes to 2.0

Scott Cantor cantor.2 at
Thu Nov 5 20:33:06 UTC 2009

Ferenc Wagner wrote on 2009-11-05:
> Oh.  I was misled by the "security" component, which isn't a tag,
> really.  My bad.

No, those are just functional categories. The security bugs are labeled as
Vulnerability Level and are restricted from access. They should be viewable
once closed, seems to me, but Jira doesn't really allow that, so we'd have
to edit them to lower the level after resolution, and then we lose track.

>> I didn't want to flood people with information prematurely, but I can
>> you the diffs related to this bug across all three projects.
> Please do so, that may help finding the best solution.

I'll pull the svn links together and send them in a new thread as soon as I
have time.

-- Scott

More information about the Pkg-shibboleth-devel mailing list