[opensaml2] 02/03: New patch Security-fix-from-V2.6.1-CPPOST-105.patch

Wed Nov 15 22:53:30 UTC 2017

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch debian/stretch
in repository opensaml2.

commit 9e2c41fe67726ec8eaa7d9f0927627f6e7fcce57
Author: Ferenc Wágner <wferi at debian.org>
Date:   Tue Nov 14 22:06:37 2017 +0100

    New patch Security-fix-from-V2.6.1-CPPOST-105.patch
    
    Security fix from V2.6.1 (CPPOST-105)
    Thanks: Scott Cantor
---
 .../Security-fix-from-V2.6.1-CPPOST-105.patch      | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 54 insertions(+)

diff --git a/debian/patches/from-upstream/Security-fix-from-V2.6.1-CPPOST-105.patch b/debian/patches/from-upstream/Security-fix-from-V2.6.1-CPPOST-105.patch
new file mode 100644
index 0000000..510eb43
--- /dev/null
+++ b/debian/patches/from-upstream/Security-fix-from-V2.6.1-CPPOST-105.patch
@@ -0,0 +1,53 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Mon, 13 Nov 2017 13:55:33 -0500
+Subject: Security fix from V2.6.1 (CPPOST-105)
+
+(cherry picked from commit 6182b0acf2df670e75423c2ed7afe6950ef11c9d)
+
+Dynamic MetadataProvider fails to install security filters
+============================================================
+The Shibboleth Service Provider software includes a MetadataProvider
+plugin with the plugin type "Dynamic" to obtain metadata on demand
+from a query server, in place of the more typical mode of downloading
+aggregates separately containing all of the metadata to load.
+
+All the plugin types rely on MetadataFilter plugins to perform critical
+security checks such as signature verification, enforcement of validity
+periods, and other checks specific to deployments.
+
+Due to a coding error, the "Dynamic" plugin fails to configure itself
+with the filters provided to it and thus omits whatever checks they are
+intended to perform, which will typically leave deployments vulnerable
+to active attacks involving the substitution of metadata if the network
+path to the query service is compromised.
+
+Note Regarding OpenSAML Library
+=================================
+An identical issue exists in the DynamicMetadataProvider class in
+the OpenSAML-C library in all versions prior to V2.6.1. Applications
+making direct use of this library must be independently updated to
+correct this vulnerability.
+
+Credits
+=========
+Rod Widdowson, Steading System Software LLP
+
+URL for the full Security Advisory:
+http://shibboleth.internet2.edu/secadv/secadv_20171115.txt
+---
+ saml/saml2/metadata/impl/DynamicMetadataProvider.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp b/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
+index 86631bb..fbd62d9 100644
+--- a/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
++++ b/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
+@@ -72,7 +72,7 @@ namespace opensaml {
+ };
+ 
+ DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
+-    : AbstractMetadataProvider(e),
++    : AbstractMetadataProvider(e), MetadataProvider(e),
+       m_validate(XMLHelper::getAttrBool(e, false, validate)),
+         m_id(XMLHelper::getAttrString(e, "Dynamic", id)),
+         m_lock(RWLock::create()),
diff --git a/debian/patches/series b/debian/patches/series
index 59822b8..997b428 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ Refactor-test-source-generation.patch
 Derive-correct-test-data-paths-from-srcdir.patch
 Enable-skipping-tests-which-require-network-access.patch
 Enable-the-dot-feature-of-Doxygen.patch
+from-upstream/Security-fix-from-V2.6.1-CPPOST-105.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/opensaml2.git

