[xmltooling] annotated tag debian/1.5.3-2+deb8u2 created (now 4ce1bda)

Ferenc Wágner wferi at moszumanska.debian.org
Sat Jan 13 00:23:11 UTC 2018 

This is an automated email from the git hooks/post-receive script.

wferi pushed a change to annotated tag debian/1.5.3-2+deb8u2
in repository xmltooling.

        at  4ce1bda   (tag)
   tagging  809e59899ada40d5e2c88d37b40ad5fcf9ecd665 (commit)
  replaces  debian/1.5.3-2+deb8u1
 tagged by  Ferenc Wágner
        on  Fri Jan 12 21:05:09 2018 +0100

- Log -----------------------------------------------------------------
xmltooling Debian release 1.5.3-2+deb8u2

Format: 1.8
Date: Fri, 12 Jan 2018 12:00:08 +0100
Source: xmltooling
Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source i386
Version: 1.5.3-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel at lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi at debian.org>
Description:
 libxmltooling-dev - C++ XML parsing library with encryption support (development)
 libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
 libxmltooling6 - C++ XML parsing library with encryption support (runtime)
 xmltooling-schemas - XML schemas for XMLTooling
Changes:
 xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high
 .
   * [5c2845b] Add gbp.conf for jessie
   * [0ffc343] Convert our single patch into a proper patch queue
   * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
     data
     The Service Provider software relies on a generic XML parser to process
     SAML responses and there are limitations in older versions of the parser
     that make it impossible to fully disable Document Type Definition (DTD)
     processing.
     Through addition/manipulation of a DTD, it's possible to make changes
     to an XML document that do not break a digital signature but are
     mishandled by the SP and its libraries. These manipulations can alter
     the user data passed through to applications behind the SP and result
     in impersonation attacks and exposure of protected information.
     While the use of XML Encryption can serve as a mitigation for this bug,
     it may still be possible to construct attacks in such cases, and the SP
     does not provide a means to enforce its use.
     CPPXT-127 - Block entity reference nodes during unmarshalling.
     https://issues.shibboleth.net/jira/browse/CPPXT-127
     Thanks to Scott Cantor
   * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself
Checksums-Sha1:
 ed080fec57bfe948674b7805153f1472051f5bf6 2433 xmltooling_1.5.3-2+deb8u2.dsc
 5c149d59a2a7294349ee8447f2ed990f7480229f 10820 xmltooling_1.5.3-2+deb8u2.debian.tar.xz
 bfe1a7f8264c05fcb6d8067b175ac71d8864f24a 588608 libxmltooling6_1.5.3-2+deb8u2_i386.deb
 cb611ec73f64fbdb9b9cb45e31bc39427592d4eb 72314 libxmltooling-dev_1.5.3-2+deb8u2_i386.deb
Checksums-Sha256:
 66bca125a52487e64cbb16efab1b7118109a95c769eddb571b72b79384dd4927 2433 xmltooling_1.5.3-2+deb8u2.dsc
 51f0ae9d4e419ccbafcec9a272ed2daa0456643816aeae5231045a96519377f5 10820 xmltooling_1.5.3-2+deb8u2.debian.tar.xz
 9add3d1f915d6d54c37b4c930037e4f00be0524acd66c16faf0902ed16243380 588608 libxmltooling6_1.5.3-2+deb8u2_i386.deb
 5f97ebed46427aa8bdb87a86c437aef00c5198e389cf3ea7b516233f526c74a8 72314 libxmltooling-dev_1.5.3-2+deb8u2_i386.deb
Files:
 23f975913adaff394d5b55b26e9042a8 2433 libs extra xmltooling_1.5.3-2+deb8u2.dsc
 7c9ce057e6b3f5b87d8f762cc1eec611 10820 libs extra xmltooling_1.5.3-2+deb8u2.debian.tar.xz
 1e96dbb7ce98caa09a4c681f6093c610 588608 libs extra libxmltooling6_1.5.3-2+deb8u2_i386.deb
 c918c7fd8aa568fdfb31b0a60f48f6cd 72314 libdevel extra libxmltooling-dev_1.5.3-2+deb8u2_i386.deb
-----BEGIN PGP SIGNATURE-----

iQJFBAABCgAvFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlpZFQ4RHHdmZXJpQGRl
Ymlhbi5vcmcACgkQOsj3Fkd+2yMdNg/9GFf4eR4rXt9vWov7EdzOXQmpFCnMNxWP
DTNG2zRiRVspsrDV+c/1OlVNWaty15rQ4BqXHT+qGWXpC6D0UPLLkadVswK7iQ/8
QnjoEpgga0eCqOBet2jyhApdFaQ7V1ScJJaHnp+fg4MOz2ZMHERm0ioJ+8ytH3cG
bK+11nkmHkjMh3a2UZ3vgzQ5+ng2ouc6TwhcDg+UIWIyKfhHFBQGHqJE5vis8CnY
lBiqp6UqrvVEoWeovSBTPRGIrCCnj1pan2yA/YDUJBVCqDuFhy69A4zUpKHAMa2D
KvyCj5BfeDHxmVbH8KjwCDvFJ5Bp9v0HNPIGiYE7RUWANnSFUw5gDlKRWpM80msR
xlcejn4qzS9w9b9Xfp4mYSacKYKfVZQY5eo5t0qwDAMIxeNXwjzkMMK4HZ2Tfp1F
H6hknUkT7YWrC1Km88hrOYIQzicQ3lsmBZp8H6bN7Gy+/DnJSaXEMDfVRZ804UjW
AO1eiuHXuq6dSDeVvG6ACQ/vYdhKvKGDCNlVloPftWYkBMR4MPvCDZHxmlnQDATY
qTxz1D7q6xGRJ8c2EOgdhWpD2nfvzZAGArd2rdLMgwuHcSqaCeiVGj10l4Soc5t0
Fu93Sx8hQ4NbJBvzlAfRuU88M/tqEXJDK+emo5yDOXfuGSgR7e/9NlmFjEX0FnEO
JkYjSe5k3bU=
=uzof
-----END PGP SIGNATURE-----

Ferenc Wágner (5):
      Add gbp.conf for jessie
      Convert our single patch into a proper patch queue
      New patch CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch
      Update Uploaders: add Etienne, remove Russ, update myself
      Update changelog for 1.5.3-2+deb8u2 release

-----------------------------------------------------------------------

No new revisions were added by this update.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git

More information about the Pkg-shibboleth-devel mailing list