Source: xmltooling Version: 1.3.3-2 Severity: serious Tags: security patch upstream
Shibboleth Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service. Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5) are available that correct this bug. This vulnerability has been assigned CVE-2015-0851. Please mention the CVE ID in changelog when fixing this issue. References: * Bulletin http://shibboleth.net/community/advisories/secadv_20150721.txt * Fixing commit (xmltooling) https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 Cheers, Luca -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org