Security fix diffs for 1.3.x

Russ Allbery rra at
Thu Nov 12 16:43:58 UTC 2009

"Scott Cantor" <cantor.2 at> writes:
> Russ Allbery wrote on 2009-11-12:

>> Here is a backport of this fix to 1.3.1 (the version that released with
>> lenny).  Does this look correct?  If so, I'll contact the security team
>> and get the security update process started.

> The FastCGI bits are missing, I'm assuming that isn't built in the Debian
> package?

I was apparently working on this way too late last night and confused
myself into thinking fastcgi wasn't in the 1.3.1 tarball, which of course
it is.  I'm updating that now.

> It's just an additional property that won't get parsed by the code, but
> it doesn't hurt anything. The rest of the diffs were just me cleaning up
> the schema a bit. If you'd prefer to do the bare minimum, the only
> actual fix you need for this patch is to add the line defining the
> allowedSchemes attribute.

Oh, okay.  I'll do that to save the security team the review trouble.

That does do weird things to the schema versioning, though, since the
resulting schema doesn't match any of your versions.  Does that matter?
Is that something that might upset anything?

Russ Allbery (rra at               <>

More information about the Pkg-shibboleth-devel mailing list