xml-security-c 2.0.2

Ferenc W√°gner wagner.ferenc at kifu.gov.hu
Wed Nov 7 11:58:25 GMT 2018

"Cantor, Scott" <cantor.2 at osu.edu> writes:

>> http://santuario.apache.org/ states that 2.0.2 fixes a crash similar to the one
>> fixed by 2.0.1.  This latter was a DoS vector in Shibboleth, but I can't see a
>> security advisory now; does this mean that SANTUARIO-496 is not exploitable?
> I haven't updated the advisory yet, I'm waiting on the SP release and
> that's waiting on whether curl 7.62.0 is too buggy to use or not.

Ah, I see.

> I would suggest you just attach this to the same CVE as before and
> update it to reflect the versions involved. That would be accurate.

Yeah, two problems with that: 1. according to the Debian Security Team,
CVE policies disallow merging of issues with significantly different
discovery times; 2. Mitre declined allocating a CVE even for the first
one, saying that the Apache Foundation should assign these for its own
products, or even more, it should have allocated one already during the
patching process.  Now, the Apache Security Team webpage emphasises that
they only handle undisclosed issues, so I'm uncertain what to do.  Are
you okay with me asking them nevertheless?

Also, SANTUARIO-496 affects 2.0.0+ only, but the same code is present in
earlier versions as well.  Is there really an excuse for not backporting
the fix to 1.7 as shipped (and patched for SANTUARIO-491) in Debian
stable, or you simply didn't care to enumerate such ancient versions?

More information about the Pkg-shibboleth-devel mailing list