This bug was fixed in the package xmltooling - 1.6.4-1ubuntu2.1
---------------
xmltooling (1.6.4-1ubuntu2.1) bionic-security; urgency=high
* SECURITY UPDATE: uncaught exception on malformed XML declaration
Invalid data in the XML declaration causes an exception of a type that
was not handled properly in the parser class and propagates an
unexpected exception type.
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.
- debian/patches/CVE-2019-9628.patch
- CVE-2019-9628
- https://shibboleth.net/community/advisories/secadv_20190311.txt
- LP: #1819912
-- Etienne Dysli Metref <[email protected]> Thu, 14 Mar
2019 11:56:34 +0100
** Changed in: xmltooling (Ubuntu Bionic)
Status: In Progress => Fix Released
** Changed in: xmltooling (Ubuntu Xenial)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1819912
Title:
CVE-2019-9628 XML parser class fails to trap exceptions on malformed
XML declaration
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
