Security fix diffs for 1.3.x
Scott Cantor
cantor.2 at osu.edu
Fri Nov 6 22:16:34 UTC 2009
Russ Allbery wrote on 2009-11-06:
> Just to double-check, no changes are required for the opensaml 1.x
> library, correct? The change is only in the shibboleth-sp package?
Not as part of this fix.
There is a separate fix that I implemented for this patch release that
addresses a bug that caused crashes. Technically it's a DoS vector, but I
didn't do an advisory for it as it's not new, not a secret, and there are
DoS avenues in this sort of stuff all the time. I just fixed it because I
had the chance to, and I realized it was a smaller fix than I thought.
Anyway, that fix included a small change to opensaml that I released as
1.1.4, but it's not part of this bug. If you want that patch set, I can
provide it.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list