Your message dated Thu, 09 Aug 2018 05:35:28 +0000 with message-id <e1fndbc-000eyv...@fasolo.debian.org> and subject line Bug#905332: fixed in xml-security-c 1.7.3-4+deb9u1 has caused the Debian Bug report #905332, regarding src:xml-security-c: Default KeyInfo resolver doesn't check for empty element content to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 905332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905332 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:xml-security-c Severity: important Tags: security This is a security tracking bug. Original report: https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491 The issue is null pointer dereference in the library, which happens to mean a trivial remote DoS (shibd crash) in the Shibboleth SP stack. I requested a CVE from Mitre, but haven't got it yet. The stretch security upload is ready, I'm sending the debdiff. All version in the archive are affected, the upstream fix is in 2.0.1, which will be uploaded to experimental shortly.
--- End Message ---
--- Begin Message ---Source: xml-security-c Source-Version: 1.7.3-4+deb9u1 We believe that the bug you reported is fixed in the latest version of xml-security-c, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 905...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ferenc Wágner <wf...@debian.org> (supplier of updated xml-security-c package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 3 Aug 2018 14:30:43 CEST Source: xml-security-c Binary: libxml-security-c17v5 libxml-security-c-dev xml-security-c-utils Architecture: source Version: 1.7.3-4+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wf...@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Closes: 905332 Changes: xml-security-c (1.7.3-4+deb9u1) stretch-security; urgency=high . * [93b87c6] New patch: Default KeyInfo resolver doesn't check for empty element content. The Apache Santuario XML Security for C++ library contained a number of code paths at risk of dereferencing null pointers when processing various kinds of malformed KeyInfo hints typically found in signed or encrypted XML. The usual effect is a crash, and in the case of the Shibboleth SP software, a crash in the shibd daemon. Upstream bug: https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491 CVE: not assigned yet Thanks to Scott Cantor (Closes: #905332) Checksums-Sha256: 1b1228439b760703062e60a6daee033dacf293a95a5feba1a81c7c6d6c873ea4 2336 xml-security-c_1.7.3-4+deb9u1.dsc 73879fa0f820ef06ae3663ff40232abdb9f8ed51a07ea43ab934bac7d9dfafc3 43404 xml-security-c_1.7.3-4+deb9u1.debian.tar.xz e5226e7319d44f6fd9147a13fb853f5c711b9e75bf60ec273a0ef8a190592583 909320 xml-security-c_1.7.3.orig.tar.gz Checksums-Sha1: ce52525c4d6b986ab5ef5ddce7255c0d694b22f7 2336 xml-security-c_1.7.3-4+deb9u1.dsc 4c20d812dcfdea3dc0c475dc627e66b1300a941f 43404 xml-security-c_1.7.3-4+deb9u1.debian.tar.xz bcbe98e0bd3695a0b961a223cce53e2f35c4681b 909320 xml-security-c_1.7.3.orig.tar.gz Files: 8ef958f00a785116827955dd242dbae2 2336 libs extra xml-security-c_1.7.3-4+deb9u1.dsc 544a5a74d240da600efe85dc30efa9b2 43404 libs extra xml-security-c_1.7.3-4+deb9u1.debian.tar.xz 481a0f29d1b6e898da79f80dbbf7b05b 909320 libs extra xml-security-c_1.7.3.orig.tar.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAltkSzcACgkQOsj3Fkd+ 2yOKZg//TYZXREU6dzGM2poOOnZSdhlfUSzuiJvUaryHaJFlzWmi6bQfSqdBa6wx HnO38SYvEVycUnjBQGPrJcVfcQv2ioorlyEUbBJ/Ey2rpXEoVX0bBTTAbU21nndz roKAMlcpxmAOveg0v+g+QVKYKzuxv1hzAs92abaTdL/n1LM3ZMUvS2ZCQ2l37SMs 3X4EczalZRMiPZs7Ys9b/bkdid+vLCxtbK2f0LYWUD0IDxgmrurHYQBOiNZJFU1F 1A84IVU3doXOfOgAblIlibFn2rTHLXdDU0/Nsw6r+gDuAUmS+YhuUqyBgTLs74zX ynH28in87KnK28KeQTBZF+r/+l22lwBcmrVXL7hyzYCi1hGOwS4LUIrNa+FeUm26 Ix3pUVTJ3ZNeougiewtHz6fOMXmD8aK9AqCcG4a5JWkSKauhoCjFpfsNXc4h1EPd lKtmVkeG3u0R3qmOVHZ6is6yiiHgEgN0XRYlp21RBzjF7D3lZSiyeQxnx6G818PZ v+5rIPlTbzuIVJFJ3dHYJwzIvZ1lE+72SjOlYRrBlyL89D0SKTQctNqnNsYwuIXL MgapsNlwZ+oQmNwDfVAlrSPRWWMeeock/v9HMpTsBYsfqU59yEOdWa3txP/ADjeV GmIqhkuumBmCM8lR7Te6qhX9o9OA5WNhjxC7Hqdxl06dooNC+L8= =+/Rv -----END PGP SIGNATURE-----
--- End Message ---
