[SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, lenny, updated. debian/2.0.dfsg1-4-2-g57d9a51

Russ Allbery rra at debian.org
Wed Sep 23 05:51:33 UTC 2009 

The following commit has been merged in the lenny branch:
commit 57d9a51deef5fe63b4e6215dd9486fb81dffd40c
Author: Russ Allbery <rra at debian.org>
Date:   Tue Sep 22 11:16:24 2009 -0700

    Revert "Add upstream security fix for cert subjects containing nuls"
    
    This reverts commit 0946ae4e77da819e93f43775dd85a97bf8a62469.
    
    Per Scott Cantor, no changes to the shibboleth-sp2 package are required
    to fix this security vulnerability.  The patch I pulled up was a patch
    for a different bug unrelated to this advisory.

diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index c5fabab..c5106dd 100644
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -1114,9 +1114,8 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
                         re=temp;
                     }
                     
-                    pair<multimap<string,const Attribute*>::const_iterator,multimap<string,const Attribute*>::const_iterator> attrs2(attrs);
-                    for (; !status && attrs2.first!=attrs2.second; ++attrs2.first) {
-                        if (checkAttribute(request, attrs2.first->second, w, regexp ? re.get() : NULL)) {
+                    for (; !status && attrs.first!=attrs.second; ++attrs.first) {
+                        if (checkAttribute(request, attrs.first->second, w, regexp ? re.get() : NULL)) {
                             status = true;
                         }
                     }
diff --git a/debian/changelog b/debian/changelog
index 4c64ae1..a54b567 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,15 +1,3 @@
-shibboleth-sp2 (2.0.dfsg1-4+lenny1) UNRELEASED; urgency=low
-
-  * SECURITY: Shibboleth incorrectly matched certificate subject names
-    against trusted "key names" when they contained nul characters.  This
-    affects only deployments relying on the "PKIX" style of trust
-    validation, used in the absence of explicit certificate information in
-    the SAML metadata provided to the SP and reliance on certificate
-    authorities found in the <KeyAuthority> metadata extension element.
-    See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>.
-
- -- Russ Allbery <rra at debian.org>  Thu, 17 Sep 2009 18:36:03 -0700
-
 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
 
   [ Ferenc Wagner ]

-- 
Debian packaging for the 2.0 Apache Shibboleth SP

More information about the Pkg-shibboleth-devel mailing list