-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 22 Feb 2018 09:50:20 +0100 Source: xmltooling Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source i386 all Version: 1.5.3-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wf...@debian.org> Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling6 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Changes: xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high . * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. https://shibboleth.net/community/advisories/secadv_20180227.txt https://issues.shibboleth.net/jira/browse/CPPXT-128 The Add-disallowDoctype-to-parser-configuration.patch is not effective under Xerces 3.1 in jessie, but provides more generic protection under Xerces 3.2 against issues like CVE-2018-0486. It's included here for completeness and to avoid a conflict applying the CVE-2018-0489 patch. Checksums-Sha1: 347e378fedd61c382630cc3ff731efd8819531bb 2433 xmltooling_1.5.3-2+deb8u3.dsc 05b738249cbb42238db4800a18cba2ff8e8798bc 12184 xmltooling_1.5.3-2+deb8u3.debian.tar.xz 399609750c99a4e52cead45366eb076781aff3ff 589136 libxmltooling6_1.5.3-2+deb8u3_i386.deb 9decbddab46d7f3fe15c696ab8bf8adf3c2c38f1 72542 libxmltooling-dev_1.5.3-2+deb8u3_i386.deb 5c774c84738c584b31636876af72c374b9f36b0d 16938 xmltooling-schemas_1.5.3-2+deb8u3_all.deb cd15fd92cdd1075bd4bc355ee99ee6c25ea31544 465924 libxmltooling-doc_1.5.3-2+deb8u3_all.deb Checksums-Sha256: 174ad948d9d0a80d2e7f4db52a2f9a7aa847a29b2da78b7cc14b099b8f22e8b9 2433 xmltooling_1.5.3-2+deb8u3.dsc 845d61d0be82d61a96f1b2eaf4372b2b4da01985e9ac2cfa6efe4cd1529616eb 12184 xmltooling_1.5.3-2+deb8u3.debian.tar.xz b817f8166bdcd53ad3789b971190dc11a580839485a0b70315f48a58c1c659be 589136 libxmltooling6_1.5.3-2+deb8u3_i386.deb c53cda9fe0a65a8ba84c0cf1aad7196ca3b1e576a4d3785e13f950aad83e7a06 72542 libxmltooling-dev_1.5.3-2+deb8u3_i386.deb 7f756ea367edd0418292a43b4125b79979024ff8731ac6deb27a072175637039 16938 xmltooling-schemas_1.5.3-2+deb8u3_all.deb 09170e6b7f6f8cf9581f7287af27bf179f5628a0cb46620f1fc901ae177fdc4a 465924 libxmltooling-doc_1.5.3-2+deb8u3_all.deb Files: d6dbd8367b5f2a292f7ddc26a3bc988b 2433 libs extra xmltooling_1.5.3-2+deb8u3.dsc 089a184270592f78fced1be4217389a2 12184 libs extra xmltooling_1.5.3-2+deb8u3.debian.tar.xz 7ae8eb2f066f98033a872e1f27fcc7e4 589136 libs extra libxmltooling6_1.5.3-2+deb8u3_i386.deb db1a5bff184098b1e90221fa5f6efde4 72542 libdevel extra libxmltooling-dev_1.5.3-2+deb8u3_i386.deb 0011793f82dea9ae2c4d51a74ea2132c 16938 text extra xmltooling-schemas_1.5.3-2+deb8u3_all.deb 8b67b75ed5c4ca4187699b7b046bb86f 465924 doc extra libxmltooling-doc_1.5.3-2+deb8u3_all.deb
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlqOhiMACgkQOsj3Fkd+ 2yORSxAAmR43R/GqxdQSoHAtHUGecDapx6Z+xtbwBG/9dm5Sz2OhdlVAKTW2kiIa WNRQzHtdoFjBMkJVHGQpeXWD0EpZJj7ntyOaYkjJ3eQb4FCdzWniGURJ1qtFwztp fXYijC+AkYyNn+Ix/pf4cjZztzvdzuIe0hRD6X5YK9D/hEFT6mThmXGk7/YApCud qpbJGKp2zQ5yM+Uh+lijajhaHnKx0/gSfiAbHbNDYscFyNi1KHv4FMbVByx5cGRA SFnkQOfJCJOiLmxciWoPUUQKcUwo9vahDDPrNKWCvBovVEqNWvSAMdmK4mluVgEa 82Ibg3V9jcnlgq0dgZOD+0HYDHOjP5LEw8OhGdWl7s0qr8u/esQABLanVPmyUITl R2sRLemb3HapPMoxVSHtCPOY1muLr1g6TqB28VRzKMM0cIr8lq9KnR4qv6zNojyL EGmqjuu6beXtdxxi0+XSCi41E1riL++LiAJI3NcTctTe5vWvbK8xq/gd/OobjUo0 WYDGm3lBdsMW3CF+KR1/sxRyjr2oSqw6STh/bYsf3wcRuTgwO8iMmS8Wr99nX8W4 K4nUhLRcRwSaFsLLMvmRmdESzYJVtSy2m/UNeyHAK8n+gizpytzf+MIJ2zBuzUEV 1kqh1bjAWVOLvIz92cJBoYo+oN5VyucPvi3U+W1tb8XZgqIdo8I= =tcfV -----END PGP SIGNATURE-----