Bug#985405: src:shibboleth-sp: Error templates allow query-based override of variables
Moritz Muehlenhoff
jmm at inutil.org
Wed Mar 17 19:06:22 GMT 2021
On Wed, Mar 17, 2021 at 06:19:07PM +0100, wferi at niif.hu wrote:
> Dear Security Team,
>
> Please review the debdiff below for a buster-security upload.
> The advisory text changed a little meanwhile, adding credits to Toni
> Huttunen, Fraktal Oy for discovering the problem, mentioning the style
> sheet spoofing and adding some mitigation tips.
>
> I haven't got a concrete exploit on hand, but I'll start testing the
> updated package shortly.
debdiff looks fine, please upload when you had a chance to test it
(and remember to build with -sa, since shib-sp is new in buster-security,
ftp-master and security-master don't share tarballs)
Cheers,
Moritz
More information about the Pkg-shibboleth-devel
mailing list