[shibboleth-sp2] 03/04: New patch Security-fix-from-V2.6.1-SSPCPP-763.patch
Ferenc Wágner
wferi at moszumanska.debian.org
Wed Nov 15 22:53:15 UTC 2017
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch debian/jessie
in repository shibboleth-sp2.
commit cf997f0a5983ac617893625c15c76eb133bd5747
Author: Ferenc Wágner <wferi at debian.org>
Date: Tue Nov 14 23:25:37 2017 +0100
New patch Security-fix-from-V2.6.1-SSPCPP-763.patch
Security fix from V2.6.1 (SSPCPP-763)
Thanks: Scott Cantor
---
.../Security-fix-from-V2.6.1-SSPCPP-763.patch | 46 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 47 insertions(+)
diff --git a/debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch b/debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch
new file mode 100644
index 0000000..c755550
--- /dev/null
+++ b/debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch
@@ -0,0 +1,46 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Mon, 13 Nov 2017 13:56:53 -0500
+Subject: Security fix from V2.6.1 (SSPCPP-763)
+
+(cherry picked from commit b66cceb0e992c351ad5e2c665229ede82f261b16)
+
+Dynamic MetadataProvider fails to install security filters
+============================================================
+The Shibboleth Service Provider software includes a MetadataProvider
+plugin with the plugin type "Dynamic" to obtain metadata on demand
+from a query server, in place of the more typical mode of downloading
+aggregates separately containing all of the metadata to load.
+
+All the plugin types rely on MetadataFilter plugins to perform critical
+security checks such as signature verification, enforcement of validity
+periods, and other checks specific to deployments.
+
+Due to a coding error, the "Dynamic" plugin fails to configure itself
+with the filters provided to it and thus omits whatever checks they are
+intended to perform, which will typically leave deployments vulnerable
+to active attacks involving the substitution of metadata if the network
+path to the query service is compromised.
+
+Credits
+=========
+Rod Widdowson, Steading System Software LLP
+
+URL for the full Security Advisory:
+http://shibboleth.internet2.edu/secadv/secadv_20171115.txt
+---
+ shibsp/metadata/DynamicMetadataProvider.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shibsp/metadata/DynamicMetadataProvider.cpp b/shibsp/metadata/DynamicMetadataProvider.cpp
+index da5c808..adbb841 100644
+--- a/shibsp/metadata/DynamicMetadataProvider.cpp
++++ b/shibsp/metadata/DynamicMetadataProvider.cpp
+@@ -93,7 +93,7 @@ namespace shibsp {
+ };
+
+ DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
+- : saml2md::DynamicMetadataProvider(e),
++ : saml2md::DynamicMetadataProvider(e), MetadataProvider(e),
+ m_verifyHost(XMLHelper::getAttrBool(e, true, verifyHost)),
+ m_ignoreTransport(XMLHelper::getAttrBool(e, false, ignoreTransport)),
+ m_encoded(true), m_trust(nullptr)
diff --git a/debian/patches/series b/debian/patches/series
index 34f4537..14d463e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
0005-Default-native-logger-to-syslog.patch
0006-Remove-WSTrust-schema-references.patch
0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
+from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list