Control: tag -1 confirmed moreinfo On Sat, Mar 16, 2019 at 09:45:31PM +0100, Ferenc Wágner wrote: > When upstream fixed #924346 in xmltooling, they also fixed the same > problem (uncaught parser exceptions) in shibboleth-sp to prevent DoS > crashes that haven't been identified yet. The fixes were published > together in new patch-level upstream releases for the whole Shibboleth > Service Provider stack: xmltooling, opensaml and shibboleth-sp. Beyond > the DoS prevention, shibboleth-sp 3.0.4 consists of three other bugfixes: > * incorrect C++ code usage pattern invoking undefined behavior via > boost::bind (https://issues.shibboleth.net/jira/browse/SSPCPP-847, > already mentioned in unblock request #924577); > * certain web applications provoking unbounded cookie data growth > (https://issues.shibboleth.net/jira/browse/SSPCPP-851); and > * documented configuration settings being ignored in some contexts > (https://issues.shibboleth.net/jira/browse/SSPCPP-848). > This last one can be worked around by verbosely expanding the affected > configuration constructs, so it can be considered a minor issue. But > the other three are major or potentially serious, so I ask for your > permission to to upload 3.0.4+dfsg1-1 to unstable with a future unblock.
Please go ahead and remove the moreinfo tag when it is ready to unblock. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
