Bug#950135: libxmltooling8: Race condition bug in new session cookie feature leads to SP crash

Etienne Dysli Metref etienne.dysli-metref at switch.ch
Wed Jan 29 09:23:30 GMT 2020


Package: libxmltooling8
Version: 3.0.4-1
Severity: important
Tags: upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

According to an upstream bug report [1], xmltooling versions 3.0.0 to 3.0.4 suffer from a race condition bug that leads to a crash under load. This bug affects the Shibboleth Service Provider (SP) software (source package: shibboleth-sp) which is the main user of libxmltooling. The only way to avoid this crash is to disable the "session recovery" feature which was introduced in the SP version 3 [2, 3].

Upstream has released xmltooling version 3.0.5 especially to fix that bug. Since this new release is already in Debian unstable (thanks!), please consider uploading it to stable as well, so that the new session recovery feature works without crashing the whole SP.

Sincerely,
  Etienne

[1] https://issues.shibboleth.net/jira/browse/CPPXT-145
[2] https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
[3] https://shibboleth.net/pipermail/dev/2019-September/010552.html

- -- System Information:
Debian Release: buster/sid
  APT prefers bionic-updates
  APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 'bionic'), (100, 'bionic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-26-generic (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELcQv7Fsn8jFmeD9mw2QssxGaOsAFAl4xTwwACgkQw2QssxGa
OsCn5w/9HZRi93Lcgj43qYYx/LxSFRCNMYbRAF5CA0HcrTxuItkbcdUO8BiWGJOF
29fsxkEcNVaDJkPxKS5GiePG6LqcTyTbEy5mf/ib4cQpDB67QrJ+fo18TIOA1H0q
M7DC6PazwrAJg2i4qTiZG+7SO4YXArFktDZRfLM1lwtVpblwG9QUmh5R7JlBLFDN
aX8ou6L+hDMl0pLUCzBYBBve7IxT5Kz7vSNVwTCDLDh9uofXJ3ghVadiRwzJnfHX
wCQ7V3Ghtm0BWe3KZgiutl0SvnQUMAeT4WsGy/BJ/zmz6Qx4N1rm5hSBsDMuPON0
wFR6kzRlBPP0i+AYbs5XGZ10e3R9q75yfAnILxGsuRk7M5EjSFd7lHfroWBuNtQ6
Whx0AFs985HT9Fv+cjAP7Aj3lA3Kw97FX4txyKLVGpoNSwz6/qHEMD+ZcFiZlyuP
MinbAIOzdKwNWO5NJKozLdHI4sOwfjze/RhWtWriUvsLx5+gUDDKsKZH1kVroMz/
C22i4pgDzOYcAd7lFpVPkGKFP6kcGHEqOpFEsvfUs9UFscRM6j5/ChYuc0fE+VVd
MepFqGuaqH4c24A370IBuNHeAPK9wZdVVqmqIipU8136hGu25B37vyG2HpEbkOLM
TQtAezafUtiLphMLKSOlWBq+3S+6LeyhXblaDB+ZRyCvNPV/ZUg=
=sqMu
-----END PGP SIGNATURE-----



More information about the Pkg-shibboleth-devel mailing list