debian/1.6.0-4+deb9u1 · Tags · Shibboleth Team / xmltooling

debian/1.6.0-4+deb9u1
a59529bf · Update changelog for 1.6.0-4+deb9u1 release · Feb 22, 2018
xmltooling Debian release 1.6.0-4+deb9u1

Format: 1.8
Date: Thu, 22 Feb 2018 10:49:29 +0100
Source: xmltooling
Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source
Version: 1.6.0-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
 libxmltooling-dev - C++ XML parsing library with encryption support (development)
 libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
 libxmltooling7 - C++ XML parsing library with encryption support (runtime)
 xmltooling-schemas - XML schemas for XMLTooling
Changes:
 xmltooling (1.6.0-4+deb9u1) stretch-security; urgency=high
 .
   [ Russ Allbery ]
   * [4e7dec2] Remove myself from Uploaders
 .
   [ Ferenc Wágner ]
   * [2e5cad6] New patch fixing CVE-2018-0486: vulnerability to forged user
     attribute data.
     The Service Provider software relies on a generic XML parser to process
     SAML responses and there are limitations in older versions of the parser
     that make it impossible to fully disable Document Type Definition (DTD)
     processing.
     Through addition/manipulation of a DTD, it's possible to make changes
     to an XML document that do not break a digital signature but are
     mishandled by the SP and its libraries. These manipulations can alter
     the user data passed through to applications behind the SP and result
     in impersonation attacks and exposure of protected information.
     While the use of XML Encryption can serve as a mitigation for this bug,
     it may still be possible to construct attacks in such cases, and the SP
     does not provide a means to enforce its use.
     https://shibboleth.net/community/advisories/secadv_20180112.txt
     CPPXT-127 - Block entity reference nodes during unmarshalling.
     https://issues.shibboleth.net/jira/browse/CPPXT-127
   * [91c50ae] New patches fixing CVE-2018-0489: additional data forgery flaws.
     These flaws allow for changes to an XML document that do not break a
     digital signature but alter the user data passed through to applications
     enabling impersonation attacks and exposure of protected information.
     https://shibboleth.net/community/advisories/secadv_20180227.txt
     https://issues.shibboleth.net/jira/browse/CPPXT-128
     The Add-disallowDoctype-to-parser-configuration.patch is not effective
     under Xerces 3.1 in stretch, but provides more generic protection under
     Xerces 3.2 against issues like CVE-2018-0486.  It's included here for
     completeness and to avoid a conflict applying the CVE-2018-0489 patch.
Checksums-Sha1:
 44d61403bbd86f0c19c44f2939491aadc21114b4 1608 xmltooling_1.6.0-4+deb9u1.dsc
 265fdbd04be1234423e992e4c280b62fd3fe0042 72976 xmltooling_1.6.0-4+deb9u1.debian.tar.xz
 75def281d26e4860e82bb5c593831a26928c1b13 9165 xmltooling_1.6.0-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
 4ef89b3ab209c22d727d2a088766ac0a72b4242efb8e182946b4196f6fd1c744 1608 xmltooling_1.6.0-4+deb9u1.dsc
 06a4f61f9bd27a541079b252d2c21e238a5e01334aeda4010cde94b9d9cafe64 72976 xmltooling_1.6.0-4+deb9u1.debian.tar.xz
 13737eaefd828d3b4b5eac4bb9626e2b576efb59216045107fc7603b88b00a20 9165 xmltooling_1.6.0-4+deb9u1_amd64.buildinfo
Files:
 2ca6c3bf6164da5cac2ff502682a2d4d 1608 libs extra xmltooling_1.6.0-4+deb9u1.dsc
 ec83fbaa544111e99f572505fce23617 72976 libs extra xmltooling_1.6.0-4+deb9u1.debian.tar.xz
 58225dfe35f7a9ce40b7300d22246b58 9165 libs extra xmltooling_1.6.0-4+deb9u1_amd64.buildinfo