Security fixes for opensaml2 and xmltooling
Russ Allbery
rra at debian.org
Wed Sep 23 19:37:54 UTC 2009
Florian Weimer <fw at deneb.enyo.de> writes:
> Thanks for investigating.
Sure, no problem -- it was an easy investigation in this case, since (so
far at least) xmltooling, opensaml2, and shibboleth-sp2 are basically all
just components of the Shibboleth application. In theory, the first two
could be used by separate applications, but this hasn't happened yet for
anything in Debian.
> I'm not sure if the opensaml2 part has to go through security-master.
> If we fix this part through stable-proposed-updates, we should be able
> to get the fix for shibboleth-sp2 by requesting a binNMU.
> What do you think?
I concur -- my sense is that the problem with properly processing key use
limitations is rare and won't matter for most sites (if for no other
reason than that it assumes a level of care about how X.509 certificates
are used that I rarely see in practice). I think the complete fix for
that is reasonable to do through stable-proposed-updates. I just wasn't
sure if you'd want to accept a partial security update from the xmltooling
side and then tell people in the advisory to get the rest from s-p-u or
the next stable release, or in general how that sort of situation is
handled.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list