Accepted xmltooling 1.6.0-4+deb9u1 (source) into proposed-updates->stable-new, proposed-updates
Ferenc Wágner
wferi at debian.org
Fri Mar 2 21:47:23 UTC 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Feb 2018 14:55:42 CET
Source: xmltooling
Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source
Version: 1.6.0-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel at lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi at debian.org>
Description:
libxmltooling-dev - C++ XML parsing library with encryption support (development)
libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
libxmltooling7 - C++ XML parsing library with encryption support (runtime)
xmltooling-schemas - XML schemas for XMLTooling
Changes:
xmltooling (1.6.0-4+deb9u1) stretch-security; urgency=high
.
[ Russ Allbery ]
* [4e7dec2] Remove myself from Uploaders
.
[ Ferenc Wágner ]
* [2e5cad6] New patch fixing CVE-2018-0486: vulnerability to forged user
attribute data.
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)
processing.
Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.
While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.
https://shibboleth.net/community/advisories/secadv_20180112.txt
CPPXT-127 - Block entity reference nodes during unmarshalling.
https://issues.shibboleth.net/jira/browse/CPPXT-127
* [91c50ae] New patches fixing CVE-2018-0489: additional data forgery flaws.
These flaws allow for changes to an XML document that do not break a
digital signature but alter the user data passed through to applications
enabling impersonation attacks and exposure of protected information.
https://shibboleth.net/community/advisories/secadv_20180227.txt
https://issues.shibboleth.net/jira/browse/CPPXT-128
The Add-disallowDoctype-to-parser-configuration.patch is not effective
under Xerces 3.1 in stretch, but provides more generic protection under
Xerces 3.2 against issues like CVE-2018-0486. It's included here for
completeness and to avoid a conflict applying the CVE-2018-0489 patch.
Checksums-Sha256:
1f4964f23fa88d604d4dca2ac8f994a689c31c9d6352e6f051f9ed2a61157bab 2491 xmltooling_1.6.0-4+deb9u1.dsc
06a4f61f9bd27a541079b252d2c21e238a5e01334aeda4010cde94b9d9cafe64 72976 xmltooling_1.6.0-4+deb9u1.debian.tar.xz
bc491c49f9551e845018fadc4a462eb3a9d01157cf333a88e53c3407a7e163ca 10048 xmltooling_1.6.0-4+deb9u1_amd64.buildinfo
e26a66cb10d767743c6af9a663fa3c7cb4dace55ec79cc91f9d8d528994af0b6 553346 xmltooling_1.6.0.orig.tar.bz2
Checksums-Sha1:
fe8b36b6d73928a8f964c1d332e2e86dbbee5c4a 2491 xmltooling_1.6.0-4+deb9u1.dsc
265fdbd04be1234423e992e4c280b62fd3fe0042 72976 xmltooling_1.6.0-4+deb9u1.debian.tar.xz
13de71c24a38b85564e951dfeac8487f23f4e62c 10048 xmltooling_1.6.0-4+deb9u1_amd64.buildinfo
c179745780c26e18b7d613536c25c1d45a09f8a3 553346 xmltooling_1.6.0.orig.tar.bz2
Files:
4af3a97f27a5d2a9305acb9a521a1aba 2491 libs extra xmltooling_1.6.0-4+deb9u1.dsc
ec83fbaa544111e99f572505fce23617 72976 libs extra xmltooling_1.6.0-4+deb9u1.debian.tar.xz
a9e302cc83e36250290b09eff159c452 10048 libs extra xmltooling_1.6.0-4+deb9u1_amd64.buildinfo
428e1d672952adf7ad0bee8ab3432dad 553346 libs extra xmltooling_1.6.0.orig.tar.bz2
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlqOzGgACgkQOsj3Fkd+
2yNIyA/+PbqIppFPxu+8SjzJk0bCX7jwvbefBm1x0bG1WCL0tJavdaGUOT9OvFhW
uihdwTRhLofr6LgcQ9mAVMSx3K0kSx9YFNCzv7DNepk7hCXb2XtC83cMYTUfjeDv
KJNsQm8Erxdh3e9wUKBrBsbRjXE0/RWgMJ+rW6ezMicGaR/kduBrEtg+NMQY6LRZ
4ge/A/ynHMxfihkCDgnJTLGq0bn2Em8YQJt3xVOFLuOeHzzmzIzLxWhTXZw7VKX1
5wFS72h44s1DQf+PsCxi7yGv+oXammFrcZZpYmMzq0Vo2cQ0tT218CHVDp42b6rM
FQOmP4sOhv4nvDU/IoUNCBYT7l0HOkEL4T/45FQe8uKFPvcQyzgXDPvDmAnIh7bo
KUeYndoI4PPz2zw/1hYKHk8HSBvKtjfY2cjljSlqoKCcZgI3EiRBacWvCfTKn9p8
1dtfIYJT2AZZfPFXJWeZNKpC0Yq5xDqrgFZ3rDC5CGtZAm56fzLkKd1S+eR2v8Fl
JGFQSA5YaSejhJcRoRZgBcA4v05KEBYayOfLMUymvp63BDxH5mURzECKZxTfhzom
r9+h1jKXLx38fDGRjjZbNPIt63lU0+ONkBXQr8Ps0NN1ZVk+e49f6M4e4jFffkZ7
w+EwZtZ/VL+9i0nUzfBnqgZLOikB4wWY0XsUPY7hYdbq4g8XLKA=
=NzOM
-----END PGP SIGNATURE-----
More information about the Pkg-shibboleth-devel
mailing list