xmltooling_1.5.3-2+deb8u2_all.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sat Feb 10 21:10:06 UTC 2018
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 12 Jan 2018 12:00:08 +0100
Source: xmltooling
Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: all
Version: 1.5.3-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel at lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi at debian.org>
Description:
libxmltooling-dev - C++ XML parsing library with encryption support (development)
libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
libxmltooling6 - C++ XML parsing library with encryption support (runtime)
xmltooling-schemas - XML schemas for XMLTooling
Changes:
xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high
.
* [5c2845b] Add gbp.conf for jessie
* [0ffc343] Convert our single patch into a proper patch queue
* [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
data
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)
processing.
Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.
While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.
CPPXT-127 - Block entity reference nodes during unmarshalling.
https://issues.shibboleth.net/jira/browse/CPPXT-127
Thanks to Scott Cantor
* [49b7352] Update Uploaders: add Etienne, remove Russ, update myself
Checksums-Sha1:
beefa5441d8c87a9f6ffb3cc3214dcf2d7ece123 16682 xmltooling-schemas_1.5.3-2+deb8u2_all.deb
f649fc47f0b7abb605a26e8bb76760033189ea24 475322 libxmltooling-doc_1.5.3-2+deb8u2_all.deb
Checksums-Sha256:
2b6a358529b14b247a0c1e0f8effd71c8f28b6c8860bfafd9e602b70da988540 16682 xmltooling-schemas_1.5.3-2+deb8u2_all.deb
6f641c75d11efb3c613ff380a4c06e6a81153e75a07979691a6a325c6d85a73e 475322 libxmltooling-doc_1.5.3-2+deb8u2_all.deb
Files:
75ac86b92867f8bd58ec37eb4431aaa7 16682 text extra xmltooling-schemas_1.5.3-2+deb8u2_all.deb
3be72da4235dd6c36c63b665a14cf15e 475322 doc extra libxmltooling-doc_1.5.3-2+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpcp3VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4MwQAIpCkwXPaoFqipv/pCn2TVQbz0YTormT
lOjzui4qJ+Wme0kz7U25ImOnTp4rUYGg+cdqsQvUjVhF/HfeOXW/GHjQkPkg4Y9p
qAMDXZ9CKIgsihcPyD6p/zBS05euTwTXKZoWy1ehZHYYrxt+uH003/RTi+cpGbSH
Y7cZ2robQOf7mHVPcP6HPBV5B862Bs59j/1r+aOeEFu/WiGk9f6wyKotekBNUPIo
Z/qmSgeGOnAcuUAd6Pun7pwwce0KPuz4Hn00BIHUJ48jpP6PwBbd3DmjmVZn8Ny1
Py2hZHd8L7rAMhM8QrkZJ5kuuUKCmYPFxiJZNXzL0DvejfgS5iF0GyOch4o9N8dK
czdJghA+C7jEjlRNuOAMcB3HnFmBmaPHL0NzZ4B1lw8IuehwSdH3+ZeH+wBFG9T6
fwW8371KbDOcf5F0c4T4H+71oigi0+v8Sfk8k1JIZmS8yT88ex824Ow+LFGAvcic
GJLUtLt0Yt7BW1h5za0SIap9NI2YsciMcWj0/DGn2ZDRdlQhNF1Az8uNb7XyduT0
9uTWfau71uCtD7OjLXNFm0xUS3Q/74BUQdGEFKfRdSgNU1m4h2qZ6kOP99450hCo
JNrI871PM3w9spnfiWetFibFU7tcrvZ7ZRyrEdqR43AcUcYciGmJmye41sQMSNI9
HVNz/CRKgF7i
=vAOV
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the Pkg-shibboleth-devel
mailing list