xml-security-c 2.0.2

Cantor, Scott cantor.2 at osu.edu
Tue Nov 6 14:16:50 GMT 2018

> http://santuario.apache.org/ states that 2.0.2 fixes a crash similar to the one
> fixed by 2.0.1.  This latter was a DoS vector in Shibboleth, but I can't see a
> security advisory now; does this mean that SANTUARIO-496 is not exploitable?

I haven't updated the advisory yet, I'm waiting on the SP release and that's waiting on whether curl 7.62.0 is too buggy to use or not. I would suggest you just attach this to the same CVE as before and update it to reflect the versions involved. That would be accurate.

-- Scott

More information about the Pkg-shibboleth-devel mailing list