Security fix diffs for 1.3.x

Russ Allbery rra at
Thu Nov 12 05:37:32 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> The diffs related to the security fix for v1.3.5 of the SP should be
> captured by these two sets:


> The former change isn't part of the fix per se, but is a change required to
> ensure the SP doesn't generate any redirects that the fix would reject, so
> has to be included.

Here is a backport of this fix to 1.3.1 (the version that released with
lenny).  Does this look correct?  If so, I'll contact the security team
and get the security update process started.

The one item of note on the backport is that 1.3.1 had version 1.3.1 of
the shibboleth-targetconfig-1.0.xsd and I updated to 1.3.5 instead of just
patching, which includes the change from 1.3.1 to 1.3.2, since the patch
wouldn't otherwise apply cleanly.  However, the other code changes for
1.3.2 are not in the package.  I'm not sure if this might cause a problem
and haven't done further investigation on exactly what additional change
that represents.

Thank you very much for the pointers to the patches!

Russ Allbery (rra at               <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth.patch
Type: text/x-patch
Size: 24320 bytes
Desc: not available
URL: <>

More information about the Pkg-shibboleth-devel mailing list