Your message dated Tue, 04 Aug 2015 21:18:59 +0000
with message-id <[email protected]>
and subject line Bug#793855: fixed in xmltooling 1.4.2-5+deb7u1
has caused the Debian Bug report #793855,
regarding DoS, Shibboleth SP software crashes on well-formed but invalid XML
(CVE-2015-0851)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
793855: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793855
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xmltooling
Version: 1.3.3-2
Severity: serious
Tags: security patch upstream
Shibboleth Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.
Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.
This vulnerability has been assigned CVE-2015-0851.
Please mention the CVE ID in changelog when fixing this issue.
References:
* Bulletin
http://shibboleth.net/community/advisories/secadv_20150721.txt
* Fixing commit (xmltooling)
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900
Cheers, Luca
--- End Message ---
--- Begin Message ---
Source: xmltooling
Source-Version: 1.4.2-5+deb7u1
We believe that the bug you reported is fixed in the latest version of
xmltooling, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wagner <[email protected]> (supplier of updated xmltooling package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Jul 2015 11:39:26 +0200
Source: xmltooling
Binary: libxmltooling5 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source amd64 all
Version: 1.4.2-5+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wagner <[email protected]>
Description:
libxmltooling-dev - C++ XML parsing library with encryption support
(development)
libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
libxmltooling5 - C++ XML parsing library with encryption support (runtime)
xmltooling-schemas - XML schemas for XMLTooling
Closes: 793855
Changes:
xmltooling (1.4.2-5+deb7u1) wheezy-security; urgency=high
.
* Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
Shibboleth SP software crashes on well-formed but invalid XML
Checksums-Sha1:
64447df7dd7391699e66e4ebb7c3b5c5054ff463 2329 xmltooling_1.4.2-5+deb7u1.dsc
599d3ba098bb615df1d1ac063f1ebda67613ac7f 636598 xmltooling_1.4.2.orig.tar.gz
24cf1e153832c296e64d4e0c1f2a54b2e7fe6989 9654
xmltooling_1.4.2-5+deb7u1.debian.tar.gz
63a924f1e8f69a505688cfa50c0ed795eed7795e 886298
libxmltooling5_1.4.2-5+deb7u1_amd64.deb
b8e7da8f2a3c984ddd61202cb854836fb3cdc5b0 82044
libxmltooling-dev_1.4.2-5+deb7u1_amd64.deb
34785a5ebe771c9c0709d8e0ecf9c10645be0d96 15904
xmltooling-schemas_1.4.2-5+deb7u1_all.deb
93c6fb3ccc6282f19883467f1796bda8f0dc5c6d 6102808
libxmltooling-doc_1.4.2-5+deb7u1_all.deb
Checksums-Sha256:
49b372494df5b86dea1a44a24da6cc6bd61f51823e8136f71c41000e2304ba65 2329
xmltooling_1.4.2-5+deb7u1.dsc
c32c503532cd0f2c64a71f0a7f4e63f660f1205830603b0bcd9225dc3c23445d 636598
xmltooling_1.4.2.orig.tar.gz
03697cf7057c03878615621dca5d47cd1ae52e3e02fd76a809220e313c56d495 9654
xmltooling_1.4.2-5+deb7u1.debian.tar.gz
ae7bbffcc4b587465ebba372c30ef454bb561c9082659a29f485b5730e7d12f4 886298
libxmltooling5_1.4.2-5+deb7u1_amd64.deb
33e1cd1c586fb158a1bf80748fb2dd32bdabab972244b3bfd9a476df7caaa7e2 82044
libxmltooling-dev_1.4.2-5+deb7u1_amd64.deb
39e81d7e56546185c063a6faaa9461e1250416d4a67296687f6f195e421b126b 15904
xmltooling-schemas_1.4.2-5+deb7u1_all.deb
d6186396a17b0dd085c377d72dd4a0175f25be59f645e8aceec9f5c284ea57d4 6102808
libxmltooling-doc_1.4.2-5+deb7u1_all.deb
Files:
d8d7b007d18873f75d99c9d656591c8f 2329 libs extra xmltooling_1.4.2-5+deb7u1.dsc
98ed7fb45c63cd6d03446f8c47dc645b 636598 libs extra xmltooling_1.4.2.orig.tar.gz
1fb0df3ab4b809df011587120f0a3984 9654 libs extra
xmltooling_1.4.2-5+deb7u1.debian.tar.gz
acbc8c9789007cf1ebb557bb54e465ad 886298 libs extra
libxmltooling5_1.4.2-5+deb7u1_amd64.deb
47bef7d249ac774c4e564efa06bc5b6d 82044 libdevel extra
libxmltooling-dev_1.4.2-5+deb7u1_amd64.deb
d127272107c89756482880ca7b506dca 15904 text extra
xmltooling-schemas_1.4.2-5+deb7u1_all.deb
87742237ac2a9be1b61832101eea5539 6102808 doc extra
libxmltooling-doc_1.4.2-5+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVuff3AAoJEK+lG9bN5XPLKuAQAIADyHjpiYWYHUEsCEjClZkq
29TR+miZveKyOfu1nzNHIGX9TX1MW80o/47++K9qQWD+YjUaNefLcgs8eqRgrGkA
bs9ZUldDSnC5jXd9BVEd0ip84bMSwIG88JwJpIKJDJP7lb4UrQFeyPGRsfgA2tAe
2MW8Njet7zMmxQp58PMDc6c/zLJyCEisrgYIohDumumQU/yBOdNpRGhMd4H+WrnV
2K2Hm9p2qQ5O5OLETaZErdIcg1NXRUzSoIBzp4k7sDhB/Qrh5D3kTzMk5XMJPwqt
52QctU+J0jlIiFJ11tkIDUe3UgLZS27rQsqWtcz9WbsZTlap+dtxFBgaH4QM4jto
l2Cl3yGxatAPBwTEOH2hDB5yzxFNeVBeyMDEDSrebaS5eRT8bl/Km8z+ZDPXv8YK
B+xGCtz9Dd2p4ZFs4+U2XqxwOaG4w1MZGAbIzcAFvO3pWL+mpr2dVAP2TaVyzP2V
CBJD1WwDizEAhEYdIA0C7EpfMHgxZP5rX6EMl8K46V1mOEXWE1F++ZtFJmlq5PZn
3i34uRNQB9yrpPdxY7RyYoOUZ81p6VurOmHcbbmu7W9lTVDmSlAt6U5xRO9N/40n
+SC30Ay0bH+q07Rd+iSUszIGaSYznO7UsnYZz1yofx6BbhnizXunVTtEC+7rb379
j65CYdjbzqa3DOlCjOmL
=fNGk
-----END PGP SIGNATURE-----
--- End Message ---
