Proposed security fixes for Shibboleth 1.x (lenny)
Russ Allbery
rra at debian.org
Thu Sep 24 23:03:43 UTC 2009
"Scott Cantor" <cantor.2 at osu.edu> writes:
> Russ Allbery wrote on 2009-09-22:
>> Here is the diff for opensaml and shibboleth-sp for lenny. I also
>> backported the same fixes to the etch versions, which required manually
>> applying the patch for certificate naming. Hopefully I didn't break
>> anything.
> Are they on different 1.x releases? I wouldn't expect too much
> difference in these spots, but it's been a while.
Yeah, etch was released a long time ago, so it has an ancient version
(1.3f). It's going out of security support this coming February so
hopefully people are mostly off of it. We will be fairly soon.
There's a newer backport which I'll also update once I get the main
security fixes done.
There was only a minor difference in the center of the SSL code related to
how the logging conditional was constructed, but that was enough to make
patch conservative about applying it.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list