Bug#780383: libopensaml2-java: CVE-2015-1796
On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote: On 05/06/2015 10:54 PM, tony mancill wrote: An update on this... I'm in the midst of packaging 2.6.5, but it in turn requires an update to libxmltooling-java to version 1.4.4, which I am working on now. In an email exchange with Scott Cantor, who works on this family of libraries upstream, he stated that the v2 libraries will be EOL this summer, and that he would advise not to ship them in a release unless Debian will maintain them. Based upon that information, the low popcon, and the fact that this cluster of packages appear to be leaf packages (I can't find r-deps for them): libopenws-java libshib-common-java libopensaml2-java libshib-parent-project2-java I'm not going to take action to prevent the automated removal from testing and am considering requesting that the packages be removed from the archive. If people are using these libraries and can make a case for them being available in Debian, please speak up. Since noone objected and since they're already dropped from testing for three weeks now, I'll also request removal from unstable now. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780383: libopensaml2-java: CVE-2015-1796
On 05/06/2015 10:54 PM, tony mancill wrote: An update on this... I'm in the midst of packaging 2.6.5, but it in turn requires an update to libxmltooling-java to version 1.4.4, which I am working on now. In an email exchange with Scott Cantor, who works on this family of libraries upstream, he stated that the v2 libraries will be EOL this summer, and that he would advise not to ship them in a release unless Debian will maintain them. Based upon that information, the low popcon, and the fact that this cluster of packages appear to be leaf packages (I can't find r-deps for them): libopenws-java libshib-common-java libopensaml2-java libshib-parent-project2-java I'm not going to take action to prevent the automated removal from testing and am considering requesting that the packages be removed from the archive. If people are using these libraries and can make a case for them being available in Debian, please speak up. Cheers, tony signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780383: libopensaml2-java: CVE-2015-1796
An update on this... I'm in the midst of packaging 2.6.5, but it in turn requires an update to libxmltooling-java to version 1.4.4, which I am working on now. Cheers, tony signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780383: libopensaml2-java: CVE-2015-1796
Source: libopensaml2-java Version: 2.6.2-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for libopensaml2-java. Note that I don't know libopensaml2-java well enough, so could you assess if this affeccts Debian as well, and if the severity is approriate (if not please feel free to downgrade it). Information follows: CVE-2015-1796[0]: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-1796 [1] http://shibboleth.net/community/advisories/secadv_20150225.txt Regards, Salvatore __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780383: libopensaml2-java: CVE-2015-1796
Hi Salvatore, Thank you for the report. Looking at the commit r1680 mentioned on the security tracker I fail to see how it addresses the vulnerability described. I suspect this is actually a vulnerability in a dependency shared by opensaml and idp (maybe xmltooling which contains the PKIXValidationInformationResolver class, or shib-common with a recent commit referring to the same SIDP-624 issue [1]). Emmanuel Bourg [1] http://svn.shibboleth.net/view/java-shib-common?view=revisionrevision=1125 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780383: libopensaml2-java: CVE-2015-1796
Hi Emmanuel, Thanks for the quick feedback. On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote: Hi Salvatore, Thank you for the report. Looking at the commit r1680 mentioned on the security tracker I fail to see how it addresses the vulnerability described. I suspect this is actually a vulnerability in a dependency shared by opensaml and idp (maybe xmltooling which contains the PKIXValidationInformationResolver class, or shib-common with a recent commit referring to the same SIDP-624 issue [1]). Note the commit reference was added by me, while searching to isolate were the problem lies, i.e. searching for relevant commits between tag 2.6.4 and 2.6.5. I don't understand though libopensaml2-java well enough. Upstream advisory just say: Affected Versions = Versions of OpenSAML Java 2.6.5 [...] OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX trust engines are in use. PKIX trust engine implementations in this version will fail a candidate credential if no trusted names are resolved for the relevant entityID; the existing PKIX resolver implementations now also automatically treat the target entityID as an implicit trusted name. If this is not feasible, ensure that ALL entity data resolved via instances of PKIXValidationInformationResolver have at least 1 trusted name which is resolveable. For resolvers based on SAML metadata, see IdP recommendations below. [...] https://bugzilla.redhat.com/show_bug.cgi?id=1196619 and https://bugzilla.novell.com/show_bug.cgi?id=922199 both don't give much more information. Regards, Salvatore __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
