Bug#905332: debdiff

Ferenc Wágner wagner.ferenc at kifu.gov.hu
Tue Nov 6 09:12:29 GMT 2018

Christian Fischer <christian.fischer at greenbone.net> writes:

> On Fri, 03 Aug 2018 14:42:16 +0200 wferi at niif.hu (Ferenc Wágner) wrote:
>> Unfortunately the CVE hasn't arrived yet; I'll
>> forward it to you once it does.  My acknowledgement mail is of
>> subject "CVE Request 548000 for CVE ID Request" from
>> CVE-Request at mitre.org (just for the record).
> have you received a CVE for this issue yet? Tried to look around in
> various sources but wasn't able to identify a published CVE for this
> issue yet.


I haven't received a CVE for this issue, unfortunately.  My original
request was deflected by Mitre saying that the Apache Software
Foundation should issue this CVE.  However, the Apache webpage states
that they issue IDs for undisclosed vulnerabilities only.  My three
followup mails asking for clarification remained unanswered by Mitre.

To add more bad news, according to http://santuario.apache.org/ the just
released 2.0.2 fixes a very similar bug, which might mean another DoS; I
couldn't investigate yet.  But if it does, we'll need yet another CVE
for that.  I'm sending out some queries.

More information about the Pkg-shibboleth-devel mailing list