Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
The Shibboleth suite of software and libraries, which includes xmltooling, opensmal2, and shibboleth-sp2, has had several vulnerabilities announced over the past month and a half. Most of those are in xmltooling and are being handled in conjunction with the Debian Security Team. However, part of one of the more minor fixes is in opensaml2, and at the recommendation of the security team, I'm proposing that change through the stable update process. Attached is the debdiff against the version currently in stable. Please note that this fix is in a header file in a function that's inlined, so after this update is accepted (assuming it's accepted), shibboleth-sp2 in stable will need to be rebuilt against the new version of opensaml2. I understand that this can be done via the proposed-updates mechanism with a binary NMU. Please let me know if I should go ahead and upload this package. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686-bigmem (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u opensaml2-2.0/debian/changelog opensaml2-2.0/debian/changelog --- opensaml2-2.0/debian/changelog +++ opensaml2-2.0/debian/changelog @@ -1,3 +1,13 @@ +opensaml2 (2.0-2+lenny1) stable; urgency=high + + * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML + metadata to honor restrictions to signing or encryption. This is a + partial fix; the complete fix also requires a new version of the + xmltooling library. + See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt> + + -- Russ Allbery <[email protected]> Wed, 23 Sep 2009 15:32:12 -0700 + opensaml2 (2.0-2) unstable; urgency=low * Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7 only in patch2: unchanged: --- opensaml2-2.0.orig/saml/saml2/metadata/MetadataCredentialCriteria.h +++ opensaml2-2.0/saml/saml2/metadata/MetadataCredentialCriteria.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Internet2 + * Copyright 2001-2009 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -64,10 +64,10 @@ const MetadataCredentialContext* context = dynamic_cast<const MetadataCredentialContext*>(credential.getCredentalContext()); if (context) { // Check for a usage mismatch. - if ((getUsage() | (xmltooling::Credential::SIGNING_CREDENTIAL & xmltooling::Credential::TLS_CREDENTIAL)) && + if ((getUsage() & (xmltooling::Credential::SIGNING_CREDENTIAL | xmltooling::Credential::TLS_CREDENTIAL)) && XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_ENCRYPTION)) return false; - else if ((getUsage() | xmltooling::Credential::ENCRYPTION_CREDENTIAL) && + else if ((getUsage() & xmltooling::Credential::ENCRYPTION_CREDENTIAL) && XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_SIGNING)) return false; }
