[xmltooling] 05/05: Update changelog for 1.5.3-2+deb8u2 release

Ferenc Wágner wferi at moszumanska.debian.org
Sat Jan 13 00:20:14 UTC 2018

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch debian/jessie
in repository xmltooling.

commit 809e59899ada40d5e2c88d37b40ad5fcf9ecd665
Author: Ferenc Wágner <wferi at debian.org>
Date:   Fri Jan 12 12:01:49 2018 +0100

    Update changelog for 1.5.3-2+deb8u2 release
 debian/changelog | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 14b48b6..3f7761a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high
+  * [5c2845b] Add gbp.conf for jessie
+  * [0ffc343] Convert our single patch into a proper patch queue
+  * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
+    data
+    The Service Provider software relies on a generic XML parser to process
+    SAML responses and there are limitations in older versions of the parser
+    that make it impossible to fully disable Document Type Definition (DTD)
+    processing.
+    Through addition/manipulation of a DTD, it's possible to make changes
+    to an XML document that do not break a digital signature but are
+    mishandled by the SP and its libraries. These manipulations can alter
+    the user data passed through to applications behind the SP and result
+    in impersonation attacks and exposure of protected information.
+    While the use of XML Encryption can serve as a mitigation for this bug,
+    it may still be possible to construct attacks in such cases, and the SP
+    does not provide a means to enforce its use.
+    CPPXT-127 - Block entity reference nodes during unmarshalling.
+    https://issues.shibboleth.net/jira/browse/CPPXT-127
+    Thanks to Scott Cantor
+  * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself
+ -- Ferenc Wágner <wferi at debian.org>  Fri, 12 Jan 2018 12:00:08 +0100
 xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high
   * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):

Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git

More information about the Pkg-shibboleth-devel mailing list