shibboleth-sp_3.0.4+dfsg1-1+deb10u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Fri Mar 19 19:32:09 GMT 2021
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Mar 2021 21:40:34 CET
Source: shibboleth-sp
Architecture: source
Version: 3.0.4+dfsg1-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel at lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi at debian.org>
Closes: 985405
Changes:
shibboleth-sp (3.0.4+dfsg1-1+deb10u1) buster-security; urgency=high
.
* [594074b] New patch: SSPCPP-922 - Add externalParameters option to Errors
element.
Fix a phishing vulnerability: Template generation allows external
parameters to override placeholders
The primitive template engine used to render error pages allows
replacement via query parameters also, though this is not a typical
need. Because of this feature, it's possible to cause the SP to
display some templates containing values supplied externally by URL
manipulation. Though the values are encoded to prevent script
injection, the content nevertheless appears to come from the server
and so would be interpreted as trustworthy, allowing email addresses,
logos, or support URLs to be manipulated by an attacker.
This update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled.
https://shibboleth.net/community/advisories/secadv_20210317.txt
https://issues.shibboleth.net/jira/browse/SSPCPP-922
Thanks to Scott Cantor (Closes: #985405)
Checksums-Sha256:
c33ef8a0c0735abe7348e9825588bba01ac62325a6dc4375be21b153b8c0fd88 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc
6790ac56e79c215dd38a065c94905b979185b72294d3fce2cd78ba43995831f4 79324 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz
6f33456c355d811803afba004f90810f54fdd1f2398f3486fe73f8be0ca53b22 13808 shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo
b327701d111da4b5da370eddc945c382abc378ff9445e1eda9554c0d7e6f1dca 629664 shibboleth-sp_3.0.4+dfsg1.orig.tar.xz
Checksums-Sha1:
b772eca334b15268404717420e899765f6d19d38 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc
41ce923aef344361e7df8f2625f31ef3d84cf85f 79324 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz
f73d4690f2fad69caaac1beb0a871266b732c309 13808 shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo
cf6064d46a963cd5704439d0124bd7333ea8447e 629664 shibboleth-sp_3.0.4+dfsg1.orig.tar.xz
Files:
b2030bd2eafac8728d6aa75d9bf7eca0 3034 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc
74d4b3c702dd8219f9f81720c7fc5bc1 79324 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz
ee57dbfb6777b3d0c9f64eced6efab02 13808 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo
050e90a66472f17e81acd2ab21b677c2 629664 web optional shibboleth-sp_3.0.4+dfsg1.orig.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmBSaYsACgkQOsj3Fkd+
2yOZyQ/+JOqrW/hSIdV64BRu0wYR7+gwrRM2/a29Dy9zZYKr1AAF6i2IgAmCYic2
7kNOmqKwqjEDpEf50NizKqcMxqqjlwE7M0sBz7pMIw2IR2VWL1HzOQgs1uP0HfLB
uU3sP9JUY6HmRMoZyjDsEx1iyLmHRsQ3Lb1+eMb5w/Rx7Fn1tOOlKmBE/0zOqy6A
m1drxjGtRoY65bOnjoqTJ1mUWJVLySg7OXMCsop2pCpftGDCSzSMDl7DWErM2OMF
CsisB5jx9RB3OsxYr2H7mQNY3LW7CI5MT2CKw92n7Ebv3WqSMltUjiDPj0Qqy4Pp
w9qv8mZ8iyEA7SQH13hKVSP0R7Ss7FeZIsRzjOHXocwZpxU+T+wVSNzeuD75oA8M
rP8TTDk7fSGTjhxg/rIffH04+RiJ1rDvSC1gncLphjUNzok5tnzs9OBaYH9Hy6sP
xQLCC+SCO8xfGBGM5dJgLJqzZ1jmdPFVd96wmzRdFNzdnMsCqSMlz/nexIYCjk1z
WafbGbjN+QnpuCRqDD15ySXZSE29KWvbBwnz8ULYf79RQp0AynkOLwub/3MQgXmQ
f+/adJACwlApqo+XP/hvuHsWo/VmgfxN7pNNvZTFvvPqwKlPD897phYFFUM48hKw
eVP3aDn4mkBfWQM6HlCIi9bwAF7CVnCTkFQEnAL6OtcSKpQJ4ZM=
=miVA
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the Pkg-shibboleth-devel
mailing list