Raphael Hertzog <hert...@debian.org> writes: > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of shibboleth-sp2: > https://security-tracker.debian.org/tracker/CVE-2015-2684 > > Would you like to take care of this yourself? We are still understaffed so > any help is always highly appreciated.
Hi Raphaƫl, I will help you as far as I can, but I'm no DD, so most of the administrative work will stay on your shoulders. And I'm somewhat uncertain whether a squeeze update would do much good without a corresponding squeeze-backports fix. What do you think? Anyway, I pushed the backported fix to the squeeze branch of http://anonscm.debian.org/cgit/pkg-shibboleth/shibboleth-sp2.git. You can find the corresponding source package at http://apt.niif.hu/lts/ (debdiff below). Unfortunately, I couldn't test the package, but in case I find a way, I'll inform you. -- Regards, Feri. $ debdiff shibboleth-sp2_2.3.1+dfsg-5.dsc shibboleth-sp2_2.3.1+dfsg-5+deb6u1.dsc diff -u shibboleth-sp2-2.3.1+dfsg/debian/changelog shibboleth-sp2-2.3.1+dfsg/debian/changelog --- shibboleth-sp2-2.3.1+dfsg/debian/changelog +++ shibboleth-sp2-2.3.1+dfsg/debian/changelog @@ -1,3 +1,11 @@ +shibboleth-sp2 (2.3.1+dfsg-5+deb6u1) squeeze-lts; urgency=high + + * Backport security fix from V2.5.4 for CVE-2015-2684: authenticated + denial of service vulnerability that results in a crash on certain + kinds of malformed SAML messages. + + -- Ferenc Wagner <wf...@niif.hu> Mon, 13 Apr 2015 21:09:55 +0200 + shibboleth-sp2 (2.3.1+dfsg-5) unstable; urgency=high * Merge the forgotten pidfile fix from branch bug/unlink-pidfile after only in patch2: unchanged: --- shibboleth-sp2-2.3.1+dfsg.orig/shibsp/handler/impl/SAML2Consumer.cpp +++ shibboleth-sp2-2.3.1+dfsg/shibsp/handler/impl/SAML2Consumer.cpp @@ -38,6 +38,7 @@ # include <xmltooling/XMLToolingConfig.h> # include <xmltooling/io/HTTPRequest.h> # include <xmltooling/util/DateTime.h> +# include <xmltooling/validation/ValidatorSuite.h> using namespace opensaml::saml2; using namespace opensaml::saml2p; using namespace opensaml::saml2md; @@ -275,6 +276,9 @@ continue; try { + // Run the schema validators against the assertion, since it was hidden by encryption. + SchemaValidators.validate(decrypted); + // We clear the security flag, so we can tell whether the token was secured on its own. policy.setAuthenticated(false); policy.reset(true); only in patch2: unchanged: <VirtualHost *:80> ServerAdmin wf...@niif.hu DocumentRoot /var/www <Directory /> --- shibboleth-sp2-2.3.1+dfsg.orig/shibsp/impl/StorageServiceSessionCache.cpp +++ shibboleth-sp2-2.3.1+dfsg/shibsp/impl/StorageServiceSessionCache.cpp @@ -1040,7 +1040,7 @@ // Store the reverse mapping for logout. try { - if (nameid) + if (name.get() && *name.get()) insert(key.get(), expires, name.get(), index.get()); } catch (exception& ex) { -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87a8ybak7s....@lant.ki.iif.hu
