[shibboleth-sp2] 02/04: Delete patch 0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch

[Etienne Dysli Metref]

This is an automated email from the git hooks/post-receive script.

edm-guest pushed a commit to branch edm/debian/wheezy-backports-sloppy
in repository shibboleth-sp2.

commit fd66f98beb0a301f57d688459321d9ca72b1deeb
Author: Etienne Dysli Metref <etienne.dysli-metref at switch.ch>
Date:   Thu Nov 3 10:23:59 2016 +0100

    Delete patch 0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
---
 ...ecurity-fix-from-V2.5.4-for-CVE-2015-2684.patch | 56 ----------------------
 1 file changed, 56 deletions(-)

diff --git a/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch b/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
deleted file mode 100644
index a8e9f42..0000000
--- a/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi at niif.hu>
-Date: Tue, 17 Mar 2015 15:09:39 +0100
-Subject: Security fix from V2.5.4 for CVE-2015-2684
-
-Shibboleth SP software crashes on malformed input messages
-===============================================================
-The SP software includes an authenticated denial of service
-vulnerability that results in a crash on certain kinds of malformed
-SAML messages. The vulnerability is only triggered when special
-conditions are met and after a message or assertion signature
-has been verified, so exploitation requires a message produced
-under a trusted key, limiting the impact.
-
-URL for the full Security Advisory:
-https://shibboleth.net/community/advisories/secadv_20150319.txt
----
- shibsp/handler/impl/SAML2Consumer.cpp      |    4 ++++
- shibsp/impl/StorageServiceSessionCache.cpp |    3 ++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
-index ec62384..be2397c 100644
---- a/shibsp/handler/impl/SAML2Consumer.cpp
-+++ b/shibsp/handler/impl/SAML2Consumer.cpp
-@@ -44,6 +44,7 @@
- # include <xmltooling/XMLToolingConfig.h>
- # include <xmltooling/io/HTTPRequest.h>
- # include <xmltooling/util/DateTime.h>
-+# include <xmltooling/validation/ValidatorSuite.h>
- using namespace opensaml::saml2;
- using namespace opensaml::saml2p;
- using namespace opensaml::saml2md;
-@@ -312,6 +313,9 @@ void SAML2Consumer::implementProtocol(
-             if (!decrypted->getSignature() && requireSignedAssertions.first && requireSignedAssertions.second)
-                 throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
- 
-+            // Run the schema validators against the assertion, since it was hidden by encryption.
-+            SchemaValidators.validate(decrypted.get());
-+
-             // We clear the security flag, so we can tell whether the token was secured on its own.
-             policy.setAuthenticated(false);
-             policy.reset(true);
-diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
-index 9e5d48d..b816624 100644
---- a/shibsp/impl/StorageServiceSessionCache.cpp
-+++ b/shibsp/impl/StorageServiceSessionCache.cpp
-@@ -1233,7 +1233,8 @@ void SSCache::insert(
-         throw FatalProfileException("Attempted to create a session with a duplicate key.");
- 
-     // Store the reverse mapping for logout.
--    if (nameid && m_reverseIndex && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
-+    if (name.get() && *name.get() && m_reverseIndex
-+            && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
-         try {
-             insert(key.get(), expires, name.get(), index.get());
-         }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git