debian/1.5.3-2+deb8u2 · Tags · Shibboleth Team / xmltooling

debian/1.5.3-2+deb8u2
809e5989 · Update changelog for 1.5.3-2+deb8u2 release · Jan 12, 2018
xmltooling Debian release 1.5.3-2+deb8u2

Format: 1.8
Date: Fri, 12 Jan 2018 12:00:08 +0100
Source: xmltooling
Binary: libxmltooling6 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source i386
Version: 1.5.3-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
 libxmltooling-dev - C++ XML parsing library with encryption support (development)
 libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
 libxmltooling6 - C++ XML parsing library with encryption support (runtime)
 xmltooling-schemas - XML schemas for XMLTooling
Changes:
 xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high
 .
   * [5c2845b] Add gbp.conf for jessie
   * [0ffc343] Convert our single patch into a proper patch queue
   * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
     data
     The Service Provider software relies on a generic XML parser to process
     SAML responses and there are limitations in older versions of the parser
     that make it impossible to fully disable Document Type Definition (DTD)
     processing.
     Through addition/manipulation of a DTD, it's possible to make changes
     to an XML document that do not break a digital signature but are
     mishandled by the SP and its libraries. These manipulations can alter
     the user data passed through to applications behind the SP and result
     in impersonation attacks and exposure of protected information.
     While the use of XML Encryption can serve as a mitigation for this bug,
     it may still be possible to construct attacks in such cases, and the SP
     does not provide a means to enforce its use.
     CPPXT-127 - Block entity reference nodes during unmarshalling.
     https://issues.shibboleth.net/jira/browse/CPPXT-127
     Thanks to Scott Cantor
   * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself
Checksums-Sha1:
 ed080fec57bfe948674b7805153f1472051f5bf6 2433 xmltooling_1.5.3-2+deb8u2.dsc
 5c149d59a2a7294349ee8447f2ed990f7480229f 10820 xmltooling_1.5.3-2+deb8u2.debian.tar.xz
 bfe1a7f8264c05fcb6d8067b175ac71d8864f24a 588608 libxmltooling6_1.5.3-2+deb8u2_i386.deb
 cb611ec73f64fbdb9b9cb45e31bc39427592d4eb 72314 libxmltooling-dev_1.5.3-2+deb8u2_i386.deb
Checksums-Sha256:
 66bca125a52487e64cbb16efab1b7118109a95c769eddb571b72b79384dd4927 2433 xmltooling_1.5.3-2+deb8u2.dsc
 51f0ae9d4e419ccbafcec9a272ed2daa0456643816aeae5231045a96519377f5 10820 xmltooling_1.5.3-2+deb8u2.debian.tar.xz
 9add3d1f915d6d54c37b4c930037e4f00be0524acd66c16faf0902ed16243380 588608 libxmltooling6_1.5.3-2+deb8u2_i386.deb
 5f97ebed46427aa8bdb87a86c437aef00c5198e389cf3ea7b516233f526c74a8 72314 libxmltooling-dev_1.5.3-2+deb8u2_i386.deb
Files:
 23f975913adaff394d5b55b26e9042a8 2433 libs extra xmltooling_1.5.3-2+deb8u2.dsc
 7c9ce057e6b3f5b87d8f762cc1eec611 10820 libs extra xmltooling_1.5.3-2+deb8u2.debian.tar.xz
 1e96dbb7ce98caa09a4c681f6093c610 588608 libs extra libxmltooling6_1.5.3-2+deb8u2_i386.deb
 c918c7fd8aa568fdfb31b0a60f48f6cd 72314 libdevel extra libxmltooling-dev_1.5.3-2+deb8u2_i386.deb