Security fix diffs for 1.3.x

Scott Cantor cantor.2 at
Fri Nov 6 22:16:34 UTC 2009

Russ Allbery wrote on 2009-11-06:
> Just to double-check, no changes are required for the opensaml 1.x
> library, correct?  The change is only in the shibboleth-sp package?

Not as part of this fix.

There is a separate fix that I implemented for this patch release that
addresses a bug that caused crashes. Technically it's a DoS vector, but I
didn't do an advisory for it as it's not new, not a secret, and there are
DoS avenues in this sort of stuff all the time. I just fixed it because I
had the chance to, and I realized it was a smaller fix than I thought.

Anyway, that fix included a small change to opensaml that I released as
1.1.4, but it's not part of this bug. If you want that patch set, I can
provide it.

-- Scott

More information about the Pkg-shibboleth-devel mailing list