Your message dated Sun, 09 Aug 2015 18:35:19 +0000 with message-id <e1zovrh-00059d...@franck.debian.org> and subject line Bug#793855: fixed in xmltooling 1.3.3-2+deb6u1 has caused the Debian Bug report #793855, regarding DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793855: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793855 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xmltooling Version: 1.3.3-2 Severity: serious Tags: security patch upstream Shibboleth Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service. Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5) are available that correct this bug. This vulnerability has been assigned CVE-2015-0851. Please mention the CVE ID in changelog when fixing this issue. References: * Bulletin http://shibboleth.net/community/advisories/secadv_20150721.txt * Fixing commit (xmltooling) https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 Cheers, Luca
--- End Message ---
--- Begin Message ---Source: xmltooling Source-Version: 1.3.3-2+deb6u1 We believe that the bug you reported is fixed in the latest version of xmltooling, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ferenc Wagner <wf...@niif.hu> (supplier of updated xmltooling package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 03 Aug 2015 13:25:11 +0200 Source: xmltooling Binary: libxmltooling4 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source i386 all Version: 1.3.3-2+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Ferenc Wagner <wf...@niif.hu> Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling4 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Closes: 793855 Changes: xmltooling (1.3.3-2+deb6u1) squeeze-lts; urgency=high . * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855): Shibboleth SP software crashes on well-formed but invalid XML Checksums-Sha1: 5a1fa43326d495f336d1d2e8cc03b2a9652f61f7 2227 xmltooling_1.3.3-2+deb6u1.dsc 394aecf4d6a79c10efb904b2fcac7f628cc65069 1475368 xmltooling_1.3.3.orig.tar.gz 10fc4644474eda0b36d308a997682a8a73c4c690 7667 xmltooling_1.3.3-2+deb6u1.diff.gz 620e21753fddffabd032ff59a17cf9ab6a387caf 750808 libxmltooling4_1.3.3-2+deb6u1_i386.deb 6f7c7d58478dc54874995e0239bc63ae5bf177ce 76678 libxmltooling-dev_1.3.3-2+deb6u1_i386.deb 0f62d4bf5ebab2e51210444cec3d49c3ac6a903b 13192 xmltooling-schemas_1.3.3-2+deb6u1_all.deb c8af5662305ee48ce08992f5ecc7c1bdf712757d 925394 libxmltooling-doc_1.3.3-2+deb6u1_all.deb Checksums-Sha256: 8ad622df200fd48e775cdb7986a423591200d5f92c3b68c85f6eaa6c66b86c26 2227 xmltooling_1.3.3-2+deb6u1.dsc 2e60c74aabdf56dc1bf1f92bfa1da1284198aa114d3174539b6ff1f02dc0599b 1475368 xmltooling_1.3.3.orig.tar.gz 6e13166e29c358471f47e20e17d72dc642c37c73016a9553822bf38bf9244c5a 7667 xmltooling_1.3.3-2+deb6u1.diff.gz 3a620155cea8b83d8a7caff781f7a2509bf9d55ee8c2e844ecd35c07f2c86a5d 750808 libxmltooling4_1.3.3-2+deb6u1_i386.deb 21d6e84e8f34a66bbdf154e6f54468bb49a34d5b02a56039719281993930d645 76678 libxmltooling-dev_1.3.3-2+deb6u1_i386.deb 079542a6478d107e5423dcfc75127d59dabbfc9981174db2fd7e205c810017e9 13192 xmltooling-schemas_1.3.3-2+deb6u1_all.deb 54fb67f10d8f72c0cb4115c45c5e687da74c328837385b58a6eca0f59d84c8c3 925394 libxmltooling-doc_1.3.3-2+deb6u1_all.deb Files: e75513fc98f82d050d6d946ad868bbd8 2227 libs extra xmltooling_1.3.3-2+deb6u1.dsc 3074edc8a00bba1d26c02e798ea8039c 1475368 libs extra xmltooling_1.3.3.orig.tar.gz 266304c04a0bfdaa8365ac94838bc0df 7667 libs extra xmltooling_1.3.3-2+deb6u1.diff.gz 580d76f6114e1c890df931463a0e5a77 750808 libs extra libxmltooling4_1.3.3-2+deb6u1_i386.deb 9321a5f29e6cf00c73fa51724f9227db 76678 libdevel extra libxmltooling-dev_1.3.3-2+deb6u1_i386.deb b84ef71487329a712fc82ceb6ff5d67f 13192 text extra xmltooling-schemas_1.3.3-2+deb6u1_all.deb 15120417bf522a4fc20f2a59292b993f 925394 doc extra libxmltooling-doc_1.3.3-2+deb6u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJVx5t2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHB6UP/AkYqir0H4mq+ApfMPY6fsSP byqw4Vl+/n8EW3YjIebUqzVYYZS9X0YJQSw4sQe5k1nUx18eY5rsRlrGDAjBdFcN Rs2zq9iPWZNO5hAWeuNGr5HR6ZidJzDMKbcsyA30uHzec1WmURIHO/z5xrArjv7+ gWcZMR3OF34kJODMhcnSR5adDan9tCK9SlEVbkykkf4ccsY/E9h2F4jg/9WJjh7X c4HxwHIO4MdJrRKfOS1UsbMDXZrdBQl1KPlG2dLB/esEuRWASW6paOObRzXZ3yQG Xem8gJsia4zasZ8SboUkFRzzd+xTAL2lSLOqp5IuFCxQTX0Tqhol4UVBqiRcrV27 ca1YyYFE+6AM5aiivd033/nL0BzlWWbK3e1TrKCRAdp9zCLqRbXL/oLpKNV7mCDz KdjyyvxFsX4PvwAyhdYXYcvzQfqEQD24GRZYkeABjM9VJmR9Tipe419oFgy5z2Dp JPbXCLaWdU34/eYm9D0rVOA3IXtxG+FdwLdu2zLUBiS61K90Tstxb7nFc6G7yFqe qHGQ3AWV/vlvEitB+odsgm/uY8yg2dzxyq/Nc0p2Sov960UspduIn49zkhG3rXwk 8E7JXQP0VXCiHsSBRVHjLfQrNY/d3Y6ov/8AoKyyuSY8nUNouvc61hRR3x5LOBLC xOaW6hyyAIoUjQ0xjv04 =Ym+N -----END PGP SIGNATURE-----
--- End Message ---
