Skip to content
debian/3.2.4-1
Ferenc Wágner's avatar
Ferenc Wágner
@wferi
57ea1d31 · Update changelog for 3.2.4-1 release ·
Unverified 
xmltooling Debian release 3.2.4-1

Format: 1.8
Date: Wed, 14 Jun 2023 22:04:20 +0200
Source: xmltooling
Architecture: source
Version: 3.2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 1037948
Changes:
 xmltooling (3.2.4-1) unstable; urgency=medium
 .
   * [f89bdd8] New upstream release: 3.2.4
     SECURITY: corrects a server-side request forgery (SSRF) vulnerability.
     From https://shibboleth.net/community/advisories/secadv_20230612.txt:
     # Parsing of KeyInfo elements can cause remote resource access
     Including certain legal but "malicious in intent" content in the
     KeyInfo element defined by the XML Signature standard will result
     in attempts by the SP's shibd process to dereference untrusted URLs.
     While the content of the URL must be supplied within the message
     and does not include any SP internal state or dynamic content,
     there is at minimum a risk of denial of service, and the attack
     could be combined with others to create more serious vulnerabilities
     in the future. (Closes: #1037948)
   * [79533dd] Delete upstreamed patch
   * [6ae406d] Remove Etienne Dysli Metref from Uploaders.
     Thanks for your work, Etienne, and best wishes for your future
     endeavors!
Checksums-Sha1:
 3ed1e161830938eafd7c589dcade9f0d56626ec6 2735 xmltooling_3.2.4-1.dsc
 f7aa0a567a8ee8a0f5d580cca26f47c2119f5516 621120 xmltooling_3.2.4.orig.tar.bz2
 2603f8e895cda504eb25abb76c473a1fd4de8572 833 xmltooling_3.2.4.orig.tar.bz2.asc
 2d4925aae5176e456550eac5c1467307a4adffe2 17796 xmltooling_3.2.4-1.debian.tar.xz
 20fba380951405ce3e830e68e87e1ebbc3ab0538 10663 xmltooling_3.2.4-1_amd64.buildinfo
Checksums-Sha256:
 4edc74ec811a553137450746453e7fb97f3fce9ab9263de8e26b4df63e291cbd 2735 xmltooling_3.2.4-1.dsc
 92db9b52f28f854ba2b3c3b5721dc18c8bd885c1e0d9397f0beb3415e88e3845 621120 xmltooling_3.2.4.orig.tar.bz2
 d2019312f4b934c17eaa3654e993599f61854d775c44f1b84ef1098e6c96a343 833 xmltooling_3.2.4.orig.tar.bz2.asc
 6f2a941e7055f047f9434a52c4af857275403889b6aa5aa4e661c6865cb36b1f 17796 xmltooling_3.2.4-1.debian.tar.xz
 aece4b21618009f1aaa004658cc5f94d1b0095da6801e5cfe223387b0cbd6909 10663 xmltooling_3.2.4-1_amd64.buildinfo
Files:
 aa0851d18835d107f28111d3f1faed07 2735 libs optional xmltooling_3.2.4-1.dsc
 e7cfaa37c783ef29511caf5131e76ede 621120 libs optional xmltooling_3.2.4.orig.tar.bz2
 23e8d402a386e38980260181818d9ce3 833 libs optional xmltooling_3.2.4.orig.tar.bz2.asc
 bb5123f49143b4a2da1d4f7429025d6e 17796 libs optional xmltooling_3.2.4-1.debian.tar.xz
 1398595a32d3079a8a22718306ac626c 10663 libs optional xmltooling_3.2.4-1_amd64.buildinfo