Security fixes for opensaml2 and xmltooling

Russ Allbery rra at debian.org
Wed Sep 23 02:59:21 UTC 2009 

Security team,

There have been three security vulnerabilities announced against the set
of packages supporting Shibboleth 2.x over the past month and a half, and
today I finished preparing patches for lenny.  (Shibboleth 2.x is not in
oldstable.)  The three upstream advisories are:

    http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
    http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
    http://shibboleth.internet2.edu/secadv/secadv_20090826.txt

All three affect the xmltooling package.  The complete fix for 20090817a
also requires a small change to the opensaml2 package.

Several questions:

1. Do you want to issue advisories for these or handle them through
   stable-proposed-updates?  20090826 is the one that makes me the most
   nervous and has a very short fix.  The longest fix is for 20090817,
   correct handling of certificates containing a nul, which is the same
   basic problem as DSA-1869-1 (curl), DSA-1874-1 (nss, partial), etc.
   20090817a is a very simple fix (changing one method name and changing
   a boolean operator in a couple of places).

2. If you do want to issue an advisory (or even if you consider it
   worthwhile anyway), could you assign CVEs?  I don't think these
   problems already have CVEs as Debian and Ubuntu are, so far as I know,
   the only distributions shipping Shibboleth as part of the distribution.
   Red Hat RPMs are provided by upstream.

3. If you do want to issue an advisory, can I get your permission to
   upload the fixed packages to the security queue?

Attached are two patches, one for xmltooling and one for opensaml2.

Shibboleth 1.x (the opensaml and shibboleth-sp packages) are also affected
by 20090817 and 20090826, but not 20090817a.  I'm preparing updates for
those packages now.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmltooling.patch
Type: text/x-diff
Size: 9247 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/attachments/20090922/281d687d/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: opensaml2.patch
Type: text/x-diff
Size: 2137 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/attachments/20090922/281d687d/attachment-0001.patch>

More information about the Pkg-shibboleth-devel mailing list