Your message dated Thu, 30 Jan 2020 21:17:48 +0000
with message-id <[email protected]>
and subject line Bug#913136: fixed in xml-security-c 1.7.3-4+deb9u2
has caused the Debian Bug report #913136,
regarding xml-security-c: DSA verification crashes OpenSSL on invalid
combinations of key content
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
913136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913136
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xml-security-c
Version: 1.2.1-3
Severity: important
Tags: patch upstream security
Forwarded: https://issues.apache.org/jira/browse/SANTUARIO-496
Control: fixed 2.0.2-1
Particular KeyInfo combinations result in incomplete DSA key structures
that OpenSSL can't handle without crashing.
Very similar to #905332.
--- End Message ---
--- Begin Message ---
Source: xml-security-c
Source-Version: 1.7.3-4+deb9u2
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Dec 2018 11:45:41 +0100
Source: xml-security-c
Binary: libxml-security-c17v5 libxml-security-c-dev xml-security-c-utils
Architecture: source
Version: 1.7.3-4+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities)
Closes: 913136
Changes:
xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
.
* [12dd825] New patches: DSA verification crashes OpenSSL on invalid
combinations of key content.
Particular KeyInfo combinations result in incomplete DSA key structures
that OpenSSL can't handle without crashing. In the case of Shibboleth
SP software this manifests as a crash in the shibd daemon. Exploitation
is believed to be possible only in deployments employing the PKIX trust
engine, which is generally recommended against.
The upstream patches backported from 2.0.2 apply analogous safeguards to
the RSA and ECDSA key handling as well.
Upstream bug: https://issues.apache.org/jira/browse/SANTUARIO-496
CVE: not assigned
Thanks to Scott Cantor (Closes: #913136)
Checksums-Sha1:
2c639df51781cdf4e80d85e4fa209d773924ec97 2336 xml-security-c_1.7.3-4+deb9u2.dsc
6a3639388f0753a6609e9e73185f7c8f5b51123f 44616
xml-security-c_1.7.3-4+deb9u2.debian.tar.xz
f46ec85984a85d3d566af9dee7c12299c5bbc8b8 8227
xml-security-c_1.7.3-4+deb9u2_amd64.buildinfo
Checksums-Sha256:
16a9ef4bc97669f983a2a6a55b8c1ec72411626e8703679040ec9284744613a0 2336
xml-security-c_1.7.3-4+deb9u2.dsc
32857112f5e7f9749942bb3dda48b95e0ebf2dd641eb9d722a05df91bd154db3 44616
xml-security-c_1.7.3-4+deb9u2.debian.tar.xz
26b9c4e41efc2d2f750ee4659f9981f1e6219226d46d35b9e6d156e7307ac0f8 8227
xml-security-c_1.7.3-4+deb9u2_amd64.buildinfo
Files:
a8a3f91717e40cc211f2d98238dfa741 2336 libs extra
xml-security-c_1.7.3-4+deb9u2.dsc
09f9989d01f25072fc9ae346c9229695 44616 libs extra
xml-security-c_1.7.3-4+deb9u2.debian.tar.xz
eb6d896be8ed30de26512aeca464e662 8227 libs extra
xml-security-c_1.7.3-4+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAl4bLacACgkQOsj3Fkd+
2yMiQQ/+Kck8qHXaflQW349w2Obg7SL4Ctv1LY1LJmT+u18DnP6wjZFIdIGYuEWw
kaR6mnjma8uQGEVYAZJd+MQbcEbtaRsjAz0EHgApmlMZXVvcA510FGJAFmklGydq
wjOxd6oMR12KqRPPeElM91ci1/7iKfwC30WNVTOIDCv4c4XTF+9HkZQuG16yPzM/
h5F1y/H3dVbTdn8W4iDLzN5xr2N9sVTxoIUn2qANwSHxTyMCSYrYPLuyKRmj5CBD
QX+OPKlI6Gfq1mLGu3BkAtNMzPBjEq/joKM9AXQv0wL4dOuFFFKgRS2y5n8BHMlK
Q45DXVcdXdPbQv2Z3Zs4j7aQsVWufOmknF/YvGH3TDhNZQsFwBQwwqQZlxUoqiC1
hd2gEbTos/fida6eXr2H9NzLpWNeBbLTU+h065BO0T/QgiP1357VadRiC+1xP8bn
Xwe6nsgY5cxi3mJDXvK0eNachHbdIK926WlvtxnWXs3aWlzbN5HoNgvdWJLmALu1
7dNoVJBnFGXpG63xyVyK/3SKPOy5ZHdGSl2yjYhUe9PXX5GhqQqXg96FUou3dSph
OqKCv16Cj8pY7hCYWsv0U9DWYDykXVkJDG1XNeiygU+rHSnMMj6oBAtHuLszFr0I
K3xWFPSxsKvp2SMdYEPkk8gL1Cm3gdB8T8W2iebdcBHqtj8kexw=
=7/nX
-----END PGP SIGNATURE-----
--- End Message ---
