[xmltooling] 05/05: Update changelog for 1.5.3-2+deb8u2 release
wferi at moszumanska.debian.org
Sat Jan 13 00:20:14 UTC 2018
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch debian/jessie
in repository xmltooling.
Author: Ferenc Wágner <wferi at debian.org>
Date: Fri Jan 12 12:01:49 2018 +0100
Update changelog for 1.5.3-2+deb8u2 release
debian/changelog | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 14b48b6..3f7761a 100644
@@ -1,3 +1,28 @@
+xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high
+ * [5c2845b] Add gbp.conf for jessie
+ * [0ffc343] Convert our single patch into a proper patch queue
+ * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
+ The Service Provider software relies on a generic XML parser to process
+ SAML responses and there are limitations in older versions of the parser
+ that make it impossible to fully disable Document Type Definition (DTD)
+ Through addition/manipulation of a DTD, it's possible to make changes
+ to an XML document that do not break a digital signature but are
+ mishandled by the SP and its libraries. These manipulations can alter
+ the user data passed through to applications behind the SP and result
+ in impersonation attacks and exposure of protected information.
+ While the use of XML Encryption can serve as a mitigation for this bug,
+ it may still be possible to construct attacks in such cases, and the SP
+ does not provide a means to enforce its use.
+ CPPXT-127 - Block entity reference nodes during unmarshalling.
+ Thanks to Scott Cantor
+ * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself
+ -- Ferenc Wágner <wferi at debian.org> Fri, 12 Jan 2018 12:00:08 +0100
xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high
* Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git
More information about the Pkg-shibboleth-devel