xmltooling Debian release 3.0.4-1+deb10u2
Format: 1.8
Date: Wed, 14 Jun 2023 23:04:55 +0200
Source: xmltooling
Architecture: source
Version: 3.0.4-1+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 1037948
Changes:
xmltooling (3.0.4-1+deb10u2) buster-security; urgency=high
.
* [47aa66a] New patch: CPPXT-157 - Install blocking URI resolver into
Santuario.
Fix a denial of service vulnerability: Parsing of KeyInfo elements can
cause remote resource access.
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.
Thanks to Scott Cantor for the fix. (Closes: #1037948)
Checksums-Sha1:
ff52d7f495ab67d6a04aebbf4949a128d4134380 2478 xmltooling_3.0.4-1+deb10u2.dsc
81d738aa174efebddf96b34421eff6f247ea54de 54892 xmltooling_3.0.4-1+deb10u2.debian.tar.xz
57a40b21a06caa3647885a611617ca1e52162625 10503 xmltooling_3.0.4-1+deb10u2_amd64.buildinfo
Checksums-Sha256:
220601d4b14958a5557e1bcf935de8451f1b570d31eaacbb776381f559d4e827 2478 xmltooling_3.0.4-1+deb10u2.dsc
32dd45de84b124e4f45e88479172fff6bf3ad10b31392fdbe61bf2cab3cc9776 54892 xmltooling_3.0.4-1+deb10u2.debian.tar.xz
ec3a2db0aa85b0ee2f8304e85e07a6a28ac2bbaa610b74cb221f1827e22901f5 10503 xmltooling_3.0.4-1+deb10u2_amd64.buildinfo
Files:
e6545dca05da8c882757574f674e4d96 2478 libs optional xmltooling_3.0.4-1+deb10u2.dsc
f94666a427227a31e043aee4284b8fc6 54892 libs optional xmltooling_3.0.4-1+deb10u2.debian.tar.xz
b7bdcee20cae1045aa3d7caadb28bbaa 10503 libs optional xmltooling_3.0.4-1+deb10u2_amd64.buildinfo