[SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, lenny, updated. debian/2.0.dfsg1-4-1-g0946ae4

Russ Allbery rra at debian.org
Fri Sep 18 01:54:43 UTC 2009 

The following commit has been merged in the lenny branch:
commit 0946ae4e77da819e93f43775dd85a97bf8a62469
Author: Russ Allbery <rra at debian.org>
Date:   Thu Sep 17 18:36:51 2009 -0700

    Add upstream security fix for cert subjects containing nuls
    
    * SECURITY: Shibboleth incorrectly matched certificate subject names
      against trusted "key names" when they contained nul characters.  This
      affects only deployments relying on the "PKIX" style of trust
      validation, used in the absence of explicit certificate information in
      the SAML metadata provided to the SP and reliance on certificate
      authorities found in the <KeyAuthority> metadata extension element.
      See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>.

diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index c5106dd..c5fabab 100644
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -1114,8 +1114,9 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
                         re=temp;
                     }
                     
-                    for (; !status && attrs.first!=attrs.second; ++attrs.first) {
-                        if (checkAttribute(request, attrs.first->second, w, regexp ? re.get() : NULL)) {
+                    pair<multimap<string,const Attribute*>::const_iterator,multimap<string,const Attribute*>::const_iterator> attrs2(attrs);
+                    for (; !status && attrs2.first!=attrs2.second; ++attrs2.first) {
+                        if (checkAttribute(request, attrs2.first->second, w, regexp ? re.get() : NULL)) {
                             status = true;
                         }
                     }
diff --git a/debian/changelog b/debian/changelog
index a54b567..4c64ae1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+shibboleth-sp2 (2.0.dfsg1-4+lenny1) UNRELEASED; urgency=low
+
+  * SECURITY: Shibboleth incorrectly matched certificate subject names
+    against trusted "key names" when they contained nul characters.  This
+    affects only deployments relying on the "PKIX" style of trust
+    validation, used in the absence of explicit certificate information in
+    the SAML metadata provided to the SP and reliance on certificate
+    authorities found in the <KeyAuthority> metadata extension element.
+    See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>.
+
+ -- Russ Allbery <rra at debian.org>  Thu, 17 Sep 2009 18:36:03 -0700
+
 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
 
   [ Ferenc Wagner ]

-- 
Debian packaging for the 2.0 Apache Shibboleth SP

More information about the Pkg-shibboleth-devel mailing list