Lenny fixes for opensaml2 and shibboleth-sp2

Moritz Muehlenhoff jmm at inutil.org
Thu Nov 26 21:33:48 UTC 2009

On Thu, Nov 26, 2009 at 05:23:20PM +0100, Ferenc Wagner wrote:
> Security team,
> I'm backporting the fixes to #555608 (CVE-2009-3300) into Lenny.
> Upstream solved the issue by introducing new static class members in
> xmltooling, which lies at the bottom of the library stack, and invoking
> them from the necessary places.  This resulted in soname changes in
> libxmltooling, libsaml and libshibsp, which I'm trying to avoid.  It
> seems readily possible in the opensaml library, but not quite in
> libshibsp, so I ask for your opinion: may I add two new exported symbols
> to libshibsp, or should I add the same function definitions to each
> component?  Or even, should I add static functions into header files
> (which would mostly go unused, raising warnings from GCC)?

I'm adding Russ Allbery to CC, he wrote he was working on an update as well,
we should agree on a common solution.

Personally I'd be fine with new exported symbols, but we should let
Russ comment first.


More information about the Pkg-shibboleth-devel mailing list