Security fix for Shibboleth SP and nul character in certs

[Russ Allbery]

"Scott Cantor" <cantor.2 at osu.edu> writes:

> I believe that's the case, when you're talking about 2.x. The only
> security bug(s) in the SP itself that have been reported in this whole
> sequence of advisories are IIS only. The other bugs have been in the
> libraries.

Excellent.  That reduces the scope of the problem a lot.

> The cert fix for that version is in the shib/ShibbolethTrust.cpp and
> xmlproviders/XMLTrust.cpp source files, I believe. All the code was
> duplicated and unfactored in the old branch.

Thank you!  I'm looking at this now.

> Yes, if you're talking only the security fixes, the rest is
> separate. What would be a problem in my mind is if you called the result
> by some version number that matched mine, but I'm guessing you wouldn't
> do that. Like with Red Hat, the backported fixes would be to the package
> revision but not the software version itself?

Yes, that's correct.

> In other words, I wouldn't want xmltooling 1.2.2 there to be something
> different from my 1.2.2, but I imagine that's not the plan.

Indeed.  I've carefully avoided changing any of the version numbers (or
pulling up any of the other build system changes).  The goal is to apply
only the security patches.

Our general recommendation will, of course, be to upgrade to the current
versions of the software available from backports.org to get all of the
other bug fixes, but part of the social contract of Debian is that the
Debian package maintainers should provide users of the stock packages with
fixes for security vulnerabilities.

> I can review whatever the total patch set is once you have something to
> cross check. I'm going from memory also, but I at least can look at the
> bug entries.

I am sorry that it's taken me so long to do this.  I should have been
working on this the moment the security advisory went out, but this summer
has been insane.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>