Bug#794851: CVE-2015-0851: shibboleth-sp2 needs to be rebuilt against new xmltooling

Sergio Gelato Sergio.Gelato at astro.su.se
Fri Aug 7 10:36:18 UTC 2015

Package: opensaml2
Version: 2.5.3-2
Severity: serious
Tags: security

The upstream security advisory for CVE-2015-0851 (see #793855) states
in part: "Correcting this bug requires that the OpenSAML library be
rebuilt against the corrected version of the XMLTooling-C library,
which is normally assured by obtaining updates to both."

This is presumably related to the fact that the patch to xmltooling
touches preprocessor macros defined in <xmltooling/base.h>.
Specifically, the macro IMPL_INTEGER_ATTRIB is referenced several times
on OpenSAML2 source code.

The same macro also appears once in the source code for package
shibboleth-sp2, making it also a candidate for recompilation. (Feel
free to clone this bug if needed.)

More information about the Pkg-shibboleth-devel mailing list