Santuario patch coming shortly
Cantor, Scott
cantor.2 at osu.edu
Wed Aug 1 14:35:39 BST 2018
I have a 2.0.1 coming to fix a DOS bug that impacts the SP, I've already committed the fix and am testing now. Fair warning since I expect to get grief from all quarters, but I am *not* going to handle this as a security issue, CVE, etc. on the Apache side, I flat out do not have time for that and people will either live with it or they'll get a response from me they will happily file with the rest of their grievances.
I will do an advisory for the SP itself since that is a) all I have time to worry about, and b) much simpler for me to do.
This is easily backportable to the older Santuario versions used in Debian now for maintenance purposes but I don't have any plans right now to do a 2.x SP patch for Windows, I just don't think the 3.0 upgrade has been a problem since I got the initial patches done so this is the perfect bug to force people to update if they want the fix.
I just wanted to give you an earlier heads up before I send something to alert@ since I know it probably will need to be backported.
The issue is denial of service / crash only, but it is a trivial one.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list