Security fix diffs for 1.3.x

Scott Cantor cantor.2 at
Thu Nov 12 15:21:35 UTC 2009

Russ Allbery wrote on 2009-11-12:
> Here is a backport of this fix to 1.3.1 (the version that released with
> lenny).  Does this look correct?  If so, I'll contact the security team
> and get the security update process started.

The FastCGI bits are missing, I'm assuming that isn't built in the Debian
> The one item of note on the backport is that 1.3.1 had version 1.3.1 of
> the shibboleth-targetconfig-1.0.xsd and I updated to 1.3.5 instead of just
> patching, which includes the change from 1.3.1 to 1.3.2, since the patch
> wouldn't otherwise apply cleanly.  However, the other code changes for
> 1.3.2 are not in the package.  I'm not sure if this might cause a problem
> and haven't done further investigation on exactly what additional change
> that represents.

It's just an additional property that won't get parsed by the code, but it
doesn't hurt anything. The rest of the diffs were just me cleaning up the
schema a bit. If you'd prefer to do the bare minimum, the only actual fix
you need for this patch is to add the line defining the allowedSchemes

-- Scott

More information about the Pkg-shibboleth-devel mailing list