This bug was fixed in the package xmltooling -
1.5.3-2+deb8u3build0.14.04.1
---------------
xmltooling (1.5.3-2+deb8u3build0.14.04.1) trusty-security; urgency=medium
* fake sync from Debian (LP: #1752306)
xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high
* [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws.
These flaws allow for changes to an XML document that do not break a
digital signature but alter the user data passed through to applications
enabling impersonation attacks and exposure of protected information.
https://shibboleth.net/community/advisories/secadv_20180227.txt
https://issues.shibboleth.net/jira/browse/CPPXT-128
The Add-disallowDoctype-to-parser-configuration.patch is not effective
under Xerces 3.1 in jessie, but provides more generic protection under
Xerces 3.2 against issues like CVE-2018-0486. It's included here for
completeness and to avoid a conflict applying the CVE-2018-0489 patch.
-- Steve Beattie <[email protected]> Tue, 20 Mar 2018 15:21:30 -0700
** Changed in: xmltooling (Ubuntu)
Status: Incomplete => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0486
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306
Title:
Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
