Security fix for Shibboleth SP and nul character in certs
Russ Allbery
rra at debian.org
Fri Sep 18 17:00:40 UTC 2009
"Scott Cantor" <cantor.2 at osu.edu> writes:
> No, that's an unrelated fix in the htaccess code that was incorrectly
> denying access with certain policies (so not a security bug, just a bug).
Ah, thank you! I did indeed misread that completely.
> The cert name fix for 2.x is this:
> http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=6
> 06
> That particular fix is in xmltooling.
Oh, does that mean that there are no security vulnerabilities in the 2.x
shibboleth-sp package itself, just in xmltooling and opensaml2? That will
make things much easier.
> For the old 1.3 series, it's elsewhere, do you need that also?
I haven't started looking at that but was going to soon. I don't want to
consume a bunch of your time on it -- if you have it handy, that would be
useful, but I'm quite willing to take a first pass and see if I can
identify it first.
> If you tell me which fixes you want the patches for I can probably
> identify them all, but in general you can use the issues list in Jira
> and link to the "Fix for Version" lists to see the fixed issues and
> usually they'll link to the svn rev that shows the diff.
I looked in Jira and had a hard time identifying the Jira tickets
associated with the security fixes, but that's probably just my failing.
I'll take another look. I see that there's a security tag, but I was
failing to see how to search on it.
> There were two security issues formally identified for the 2.2.1 release,
> though the other one is less serious. That one is addressed by these bugs:
> https://bugs.internet2.edu/jira/browse/CPPXT-34
Ah, I pulled the wrong part for this too. I'll fix that.
> https://bugs.internet2.edu/jira/browse/CPPOST-28
This one I got.
It sounds like I pulled up considerably more than I needed to; for
example, it sounds like removing the guards around the schema checking
were not part of the security fix. I'll revisit the patches I have and
try to come up with something that's more correct.
The one other security vulnerability that I was pulling up was:
http://shibboleth.internet2.edu/secadv/secadv_20090826.txt
but I think I got all the pieces of that one.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list