Bug#549936: Bug#548126: pu: package opensaml2/2.0-2+lenny1

Faidon Liambotis paravoid at debian.org
Tue Oct 6 22:19:09 UTC 2009


Russ Allbery wrote:
> The Shibboleth suite of software and libraries, which includes xmltooling,
> opensmal2, and shibboleth-sp2, has had several vulnerabilities announced
> over the past month and a half.  Most of those are in xmltooling and are
> being handled in conjunction with the Debian Security Team.  However, part
> of one of the more minor fixes is in opensaml2, and at the recommendation
> of the security team, I'm proposing that change through the stable update
> process.
SRMs, please hold this request.

It became apparent from #549936 that the changes to xmltooling and
opensaml2/shibboleth-sp2 needed to go in together; the current
situtation in which xmltooling has been updated (via security) but
opensaml2 hasn't, resulted in breakage under certain, very likely

AIUI, the opensaml2 update will have to go in via security as well,
isn't that correct?

> Please note that this fix is in a header file in a function that's
> inlined, so after this update is accepted (assuming it's accepted),
> shibboleth-sp2 in stable will need to be rebuilt against the new version
> of opensaml2.  I understand that this can be done via the proposed-updates
> mechanism with a binary NMU.
This problem still stands but it will have to be updated in security
instead of proposed-updates. I guess a sourceful upload will be needed
instead of a binNMU in this case?

(Russ Allbery is currently unable to work on this right now and has
asked for someone else to takeover, since things are quite broken right
now. I'm not the maintainer for any of these, so extra care should be taken)


More information about the Pkg-shibboleth-devel mailing list