Security fixes for opensaml2 and xmltooling

[Russ Allbery]

"Scott Cantor" <cantor.2 at osu.edu> writes:

> Correct, no CVEs exist. As a point of clarification, is this something
> an independent project can coordinate, and should I attempt to do so in
> the future?

> I wasn't entirely clear from what Daniel told me whether he had anything
> to do with the curl CVE or if somebody from Red Hat did it.

Our experience in the OpenAFS project is that it's way easier to assign
CVEs if you're one of the groups who has delegated authority over a block
of CVE numbers and can just hand them out.  When we obtained a CVE for an
OpenAFS vulnerability as an independent project, it was a rather tedious
process and it was hard to figure out who to ask for one.  Debian has a
block of CVE numbers and can easily assign them.

If you'd like, I'm happy to ask Debian to assign CVEs for
Shibboleth-related things in the future, which you can then use for
security announcements and so forth.  Debian has to get a CVE assigned
anyway for our security updates, so it's no additional work for the
project as I understand it.  My GnuPG keys are available from keyservers
and at http://www.eyrie.org/~eagle/personal/contact.html if you ever need
to discuss security vulnerabilities confidentially in advance of a public
announcement.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>