Proposed security patch for xmltooling
Scott Cantor
cantor.2 at osu.edu
Tue Sep 22 21:42:00 UTC 2009
Russ Allbery wrote on 2009-09-22:
> Here is what I currently have for xmltooling. Scott, if you could look
> this over when you get a chance and let me know if you think I got it all,
> that would be great.
Will do.
> There were some changes that seemed to be related to UTF8 to UTF-8 naming
> changes that I didn't pull up since I didn't think they were
> security-related, but I'm a bit unsure on what patches went into the fix
> for URL decoding, so I could have gotten that wrong.
The XML encoding thing? You could consider that a security fix in the sense
that it creates a bit of a DoS vector if you prevent somebody from obtaining
updated metadata. The backup copy that the SP was writing out isn't readable
by some tools. But it's somewhat obscure, and certainly didn't rise to the
level of an advisory, no.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list