Your message dated Sun, 02 Aug 2015 17:47:48 +0000
with message-id <[email protected]>
and subject line Bug#793855: fixed in xmltooling 1.5.3-2+deb8u1
has caused the Debian Bug report #793855,
regarding DoS, Shibboleth SP software crashes on well-formed but invalid XML
(CVE-2015-0851)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
793855: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793855
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xmltooling
Version: 1.3.3-2
Severity: serious
Tags: security patch upstream
Shibboleth Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.
Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.
This vulnerability has been assigned CVE-2015-0851.
Please mention the CVE ID in changelog when fixing this issue.
References:
* Bulletin
http://shibboleth.net/community/advisories/secadv_20150721.txt
* Fixing commit (xmltooling)
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900
Cheers, Luca
--- End Message ---
--- Begin Message ---
Source: xmltooling
Source-Version: 1.5.3-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
xmltooling, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wagner <[email protected]> (supplier of updated xmltooling package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Jul 2015 19:06:38 +0200
Source: xmltooling
Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source amd64 all
Version: 1.5.3-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wagner <[email protected]>
Description:
libxmltooling-dev - C++ XML parsing library with encryption support
(development)
libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
libxmltooling6 - C++ XML parsing library with encryption support (runtime)
xmltooling-schemas - XML schemas for XMLTooling
Closes: 793855
Changes:
xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high
.
* Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
Shibboleth SP software crashes on well-formed but invalid XML
Checksums-Sha1:
ec0640f0130928fc7f4c713c0b1f315c4611dba4 2386 xmltooling_1.5.3-2+deb8u1.dsc
b8498a8dafe18bf612a6651ab7af662add5c2a68 675350 xmltooling_1.5.3.orig.tar.gz
0758ce1a029e28aba1bb8d28733d4ca5641bc77b 9740
xmltooling_1.5.3-2+deb8u1.debian.tar.xz
6de6123be03ad5aa0f166eb97eb071e653772056 592426
libxmltooling6_1.5.3-2+deb8u1_amd64.deb
9411a7181425d89fe342e7dd6ad35be8bfe30bc0 71508
libxmltooling-dev_1.5.3-2+deb8u1_amd64.deb
eb8a19085a30707e33a07733e01d32b9523bd3ef 15908
xmltooling-schemas_1.5.3-2+deb8u1_all.deb
ac6e067f681bc8cfe3007efef49548154661e60e 473782
libxmltooling-doc_1.5.3-2+deb8u1_all.deb
Checksums-Sha256:
6f8e3ca5b1173bd53067fe3519dad03cf2422161a32bbb13f6982e0ada1e69a3 2386
xmltooling_1.5.3-2+deb8u1.dsc
90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574 675350
xmltooling_1.5.3.orig.tar.gz
48ae589d4bc43d6510d888e87250ea65678e4217aa10d522748eaddf7aaec529 9740
xmltooling_1.5.3-2+deb8u1.debian.tar.xz
3c27b530491df78b49d3590422a64e02bf89ebd3b3a9925d211e680cc4f8b6b5 592426
libxmltooling6_1.5.3-2+deb8u1_amd64.deb
5c038d7a41279599ed717197ad82c2d534e3c4c2d0303b638e045039f3076149 71508
libxmltooling-dev_1.5.3-2+deb8u1_amd64.deb
263a3118af38f370b8f1b80fde28833a9bc7ec3f15b1da60a57a14467c61a9c7 15908
xmltooling-schemas_1.5.3-2+deb8u1_all.deb
864a9acb9e4d6bb1350a780a23714b87f6dd2dca9a00e93bcbd69664649acaf1 473782
libxmltooling-doc_1.5.3-2+deb8u1_all.deb
Files:
bd0afd52bd75eff40abcd75c2de66d29 2386 libs extra xmltooling_1.5.3-2+deb8u1.dsc
d6f7c148114341f73891447b7f8f1965 675350 libs extra xmltooling_1.5.3.orig.tar.gz
0c00739980c3c128c2fe77fbc494a04f 9740 libs extra
xmltooling_1.5.3-2+deb8u1.debian.tar.xz
5acde2303d7d97cde811412027a1109d 592426 libs extra
libxmltooling6_1.5.3-2+deb8u1_amd64.deb
5a3439389a5bb6eb2ebbea6d1e2ca077 71508 libdevel extra
libxmltooling-dev_1.5.3-2+deb8u1_amd64.deb
7b97c30c68b2dd79e8c742fdc971207c 15908 text extra
xmltooling-schemas_1.5.3-2+deb8u1_all.deb
198ad5771394f9045056d0ed28074be7 473782 doc extra
libxmltooling-doc_1.5.3-2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVufPIAAoJEK+lG9bN5XPLMxwP/RU4iSEv11a0vuSb4+cqUV9N
9b3XxNEb/cUZ9qPiP5mBNgxLiAs32fYagOR2ACyM2C+Q2iddya9Zuy/mLBzR6t/A
DS2m38viec3XYhNndeUOLKXRWbgyENrQS9tUh15Jj4aLqguA/6KyAalOB+S/kAEN
4bqVyCrIsHNsKapYdge2K+Fp8SYXosHGbqX7oI0l8YGzZQm53Zp0tXk/u5Xkyxog
6LooYRi+Ia38YXw0xDPswKg0dr3YRxPaf+O01AbsF+AbD4QiV5b/e313PdidedKt
ApOcS/pczwCke+UkqUwjlEXXaQV/NjDXuQKa6s3vYlJCm9VeS8054CvJEMNhBx5F
W1YSMesP6sZZ5qrdSLLgs5seA1oK4RZo9VdlMZnGAENzmBMtWOT6Tnz6cZapaYRD
cRivsyn8uD1AbkEZHqu/GZ3xWk0frCZW6UmrvSn0Ne4vXsB9ofvp813s0SLymNrP
GdLaE40LMkvowlTAvo/FVpXMiLO/LoTc1EWOvOQVlEezPMViC7Ch+AfGsu3kiuDe
P608ApxHFN24biHWv+55NKzVn04OTxKN8nnup5Biyn580HT8df9KiXxU12ef4nmv
s/p2FoWi+ctO0ERroqTaZJLpeUfYC3VacpXnARtCJrOpwRk94HAy70MLyptoyP6G
WSFlzWBWloKCh5DdHsyO
=HhNz
-----END PGP SIGNATURE-----
--- End Message ---
