Bug#905332: src:xml-security-c: Default KeyInfo resolver doesn't check for empty element content
Ferenc Wágner
wferi at debian.org
Fri Aug 3 09:22:28 BST 2018
Package: src:xml-security-c
Severity: important
Tags: security
This is a security tracking bug.
Original report:
https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491
The issue is null pointer dereference in the library, which happens to
mean a trivial remote DoS (shibd crash) in the Shibboleth SP stack.
I requested a CVE from Mitre, but haven't got it yet.
The stretch security upload is ready, I'm sending the debdiff.
All version in the archive are affected, the upstream fix is in 2.0.1,
which will be uploaded to experimental shortly.
More information about the Pkg-shibboleth-devel
mailing list