Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xmltooling for openSUSE:Factory checked in at 2023-06-22 23:26:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xmltooling (Old) and /work/SRC/openSUSE:Factory/.xmltooling.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xmltooling" Thu Jun 22 23:26:40 2023 rev:18 rq:1094638 version:3.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/xmltooling/xmltooling.changes 2023-01-26 14:12:04.916788563 +0100 +++ /work/SRC/openSUSE:Factory/.xmltooling.new.15902/xmltooling.changes 2023-06-22 23:27:25.914261043 +0200 @@ -1,0 +2,7 @@ +Wed Jun 21 12:33:30 UTC 2023 - Danilo Spinella <danilo.spine...@suse.com> + +- Update to 3.2.4: + * No changelog provided +- Fix server-side request forgery (SSRF) vulnerability, bsc#1212359 + +------------------------------------------------------------------- Old: ---- xmltooling-3.2.3.tar.bz2 xmltooling-3.2.3.tar.bz2.asc New: ---- xmltooling-3.2.4.tar.bz2 xmltooling-3.2.4.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xmltooling.spec ++++++ --- /var/tmp/diff_new_pack.aUhwjx/_old 2023-06-22 23:27:26.674264919 +0200 +++ /var/tmp/diff_new_pack.aUhwjx/_new 2023-06-22 23:27:26.682264960 +0200 @@ -20,7 +20,7 @@ %define opensaml_version 3.2.1 %define pkgdocdir %{_docdir}/%{name} Name: xmltooling -Version: 3.2.3 +Version: 3.2.4 Release: 0 Summary: OpenSAML XML Processing library License: Apache-2.0 ++++++ xmltooling-3.2.3.tar.bz2 -> xmltooling-3.2.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/config_win32.h new/xmltooling-3.2.4/config_win32.h --- old/xmltooling-3.2.3/config_win32.h 2023-01-09 15:39:57.000000000 +0100 +++ new/xmltooling-3.2.4/config_win32.h 2023-06-06 20:50:14.000000000 +0200 @@ -106,13 +106,13 @@ #define PACKAGE_NAME "xmltooling" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "xmltooling 3.2.3" +#define PACKAGE_STRING "xmltooling 3.2.4" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "xmltooling" /* Define to the version of this package. */ -#define PACKAGE_VERSION "3.2.3" +#define PACKAGE_VERSION "3.2.4" /* Define to the necessary symbol if this constant uses a non-standard name on your system. */ @@ -125,7 +125,7 @@ /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "3.2.3" +#define VERSION "3.2.4" /* Define if you wish to disable XML-Security-dependent features. */ /* #undef XMLTOOLING_NO_XMLSEC */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/configure new/xmltooling-3.2.4/configure --- old/xmltooling-3.2.3/configure 2023-01-09 15:46:55.000000000 +0100 +++ new/xmltooling-3.2.4/configure 2023-06-06 20:53:01.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for xmltooling 3.2.3. +# Generated by GNU Autoconf 2.71 for xmltooling 3.2.4. # # Report bugs to <https://shibboleth.atlassian.net/jira>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='xmltooling' PACKAGE_TARNAME='xmltooling' -PACKAGE_VERSION='3.2.3' -PACKAGE_STRING='xmltooling 3.2.3' +PACKAGE_VERSION='3.2.4' +PACKAGE_STRING='xmltooling 3.2.4' PACKAGE_BUGREPORT='https://shibboleth.atlassian.net/jira' PACKAGE_URL='' @@ -1489,7 +1489,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xmltooling 3.2.3 to adapt to many kinds of systems. +\`configure' configures xmltooling 3.2.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1560,7 +1560,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of xmltooling 3.2.3:";; + short | recursive ) echo "Configuration of xmltooling 3.2.4:";; esac cat <<\_ACEOF @@ -1729,7 +1729,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xmltooling configure 3.2.3 +xmltooling configure 3.2.4 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2308,7 +2308,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xmltooling $as_me 3.2.3, which was +It was created by xmltooling $as_me 3.2.4, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3796,7 +3796,7 @@ # Define the identity of the package. PACKAGE='xmltooling' - VERSION='3.2.3' + VERSION='3.2.4' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -23105,7 +23105,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xmltooling $as_me 3.2.3, which was +This file was extended by xmltooling $as_me 3.2.4, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23173,7 +23173,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -xmltooling config.status 3.2.3 +xmltooling config.status 3.2.4 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/configure.ac new/xmltooling-3.2.4/configure.ac --- old/xmltooling-3.2.3/configure.ac 2023-01-09 15:39:33.000000000 +0100 +++ new/xmltooling-3.2.4/configure.ac 2023-06-06 20:49:50.000000000 +0200 @@ -1,6 +1,6 @@ # Process this file with autoreconf AC_PREREQ([2.50]) -AC_INIT([xmltooling],[3.2.3],[https://shibboleth.atlassian.net/jira],[xmltooling]) +AC_INIT([xmltooling],[3.2.4],[https://shibboleth.atlassian.net/jira],[xmltooling]) AC_CONFIG_SRCDIR(xmltooling) AC_CONFIG_AUX_DIR(build-aux) AC_CONFIG_MACRO_DIR(m4) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/Makefile.am new/xmltooling-3.2.4/xmltooling/Makefile.am --- old/xmltooling-3.2.3/xmltooling/Makefile.am 2023-01-09 15:41:12.000000000 +0100 +++ new/xmltooling-3.2.4/xmltooling/Makefile.am 2023-06-06 20:51:26.000000000 +0200 @@ -229,7 +229,7 @@ $(PTHREAD_LIBS) \ $(dlopen_LIBS) -AM_LDFLAGS = -version-info 10:3:0 +AM_LDFLAGS = -version-info 10:4:0 libxmltooling_lite_la_SOURCES = \ ${common_sources} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/Makefile.in new/xmltooling-3.2.4/xmltooling/Makefile.in --- old/xmltooling-3.2.3/xmltooling/Makefile.in 2023-01-09 15:46:57.000000000 +0100 +++ new/xmltooling-3.2.4/xmltooling/Makefile.in 2023-06-06 20:53:00.000000000 +0200 @@ -916,7 +916,7 @@ $(PTHREAD_LIBS) \ $(dlopen_LIBS) -AM_LDFLAGS = -version-info 10:3:0 +AM_LDFLAGS = -version-info 10:4:0 libxmltooling_lite_la_SOURCES = \ ${common_sources} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/XMLToolingConfig.cpp new/xmltooling-3.2.4/xmltooling/XMLToolingConfig.cpp --- old/xmltooling-3.2.3/xmltooling/XMLToolingConfig.cpp 2018-07-10 03:00:14.000000000 +0200 +++ new/xmltooling-3.2.4/xmltooling/XMLToolingConfig.cpp 2023-06-06 22:17:55.000000000 +0200 @@ -75,6 +75,7 @@ # include <xsec/framework/XSECException.hpp> # include <xsec/framework/XSECProvider.hpp> # include <xsec/transformers/TXFMBase.hpp> +# include <xsec/framework/XSECURIResolver.hpp> #endif using namespace soap11; @@ -116,7 +117,7 @@ #endif static ptr_vector<Mutex> g_openssl_locks; - extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line) + extern "C" void openssl_locking_callback(int mode, int n, const char *, int) { if (mode & CRYPTO_LOCK) g_openssl_locks[n].lock(); @@ -144,7 +145,7 @@ void setInput(TXFMBase *newInput) { input = newInput; if (newInput->getOutputType() != TXFMBase::BYTE_STREAM) - throw XSECException(XSECException::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input"); + throw XSECException(XSECException ::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input"); keepComments = input->getCommentsStatus(); m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n"); } @@ -175,6 +176,27 @@ return nullptr; } + class BlockingXSECURIResolver : public XSECURIResolver { + public: + BlockingXSECURIResolver() : m_log(Category::getInstance(XMLTOOLING_LOGCAT ".XMLSecurity")) {} + ~BlockingXSECURIResolver() {} + + BinInputStream* resolveURI(const XMLCh* uri) { + auto_ptr_char temp(uri); + m_log.warn("blocked remote resource retrieval by xml-security-c library: %s", + temp.get() ? temp.get() : "(none)"); + return nullptr; + } + + void setBaseURI(const XMLCh* uri) {} + + XSECURIResolver* clone() { + return new BlockingXSECURIResolver(); + } + + private: + Category& m_log; + }; #endif #ifdef WIN32 @@ -400,6 +422,7 @@ XSECPlatformUtils::Initialise(); XSECPlatformUtils::SetReferenceLoggingSink(TXFMOutputLogFactory); m_xsecProvider.reset(new XSECProvider()); + m_xsecProvider->setDefaultURIResolver(new BlockingXSECURIResolver()); log.debug("XML-Security %s initialization complete", XSEC_FULLVERSIONDOT); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/util/CurlURLInputStream.cpp new/xmltooling-3.2.4/xmltooling/util/CurlURLInputStream.cpp --- old/xmltooling-3.2.3/xmltooling/util/CurlURLInputStream.cpp 2019-03-08 15:44:44.000000000 +0100 +++ new/xmltooling-3.2.4/xmltooling/util/CurlURLInputStream.cpp 2023-06-06 23:01:04.000000000 +0200 @@ -79,7 +79,11 @@ return nmemb; string* cacheTag = reinterpret_cast<string*>(stream); const char* hdr = reinterpret_cast<char*>(ptr); - if (strncmp(hdr, "ETag:", 5) == 0) { +#ifdef HAVE_STRCASECMP + if (!strncasecmp(hdr, "Etag:", 5)) { +#else + if (!strnicmp(hdr, "Etag:", 5)) { +#endif hdr += 5; size_t remaining = nmemb - 5; // skip leading spaces @@ -105,7 +109,11 @@ if (!cacheTag->empty()) *cacheTag = "If-None-Match: " + *cacheTag; } - else if (cacheTag->empty() && strncmp(hdr, "Last-Modified:", 14) == 0) { +#ifdef HAVE_STRCASECMP + else if (cacheTag->empty() && !strncasecmp(hdr, "Last-Modified:", 14)) { +#else + else if (cacheTag->empty() && !strnicmp(hdr, "Last-Modified:", 14)) { +#endif hdr += 14; size_t remaining = nmemb - 14; // skip leading spaces diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/version.h new/xmltooling-3.2.4/xmltooling/version.h --- old/xmltooling-3.2.3/xmltooling/version.h 2023-01-09 15:40:46.000000000 +0100 +++ new/xmltooling-3.2.4/xmltooling/version.h 2023-06-06 20:50:23.000000000 +0200 @@ -44,7 +44,7 @@ #define XMLTOOLING_VERSION_MAJOR 3 #define XMLTOOLING_VERSION_MINOR 2 -#define XMLTOOLING_VERSION_REVISION 3 +#define XMLTOOLING_VERSION_REVISION 4 /** DO NOT MODIFY BELOW THIS LINE */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/xmltooling.rc new/xmltooling-3.2.4/xmltooling/xmltooling.rc --- old/xmltooling-3.2.3/xmltooling/xmltooling.rc 2023-01-09 15:40:34.000000000 +0100 +++ new/xmltooling-3.2.4/xmltooling/xmltooling.rc 2023-06-06 20:51:11.000000000 +0200 @@ -28,8 +28,8 @@ // VS_VERSION_INFO VERSIONINFO - FILEVERSION 3,2,3,0 - PRODUCTVERSION 3,2,3,0 + FILEVERSION 3,2,4,0 + PRODUCTVERSION 3,2,4,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -51,7 +51,7 @@ #else VALUE "FileDescription", "OpenSAML XMLTooling Library\0" #endif - VALUE "FileVersion", "3, 2, 3, 0\0" + VALUE "FileVersion", "3, 2, 4, 0\0" #ifdef XMLTOOLING_LITE #ifdef _DEBUG VALUE "InternalName", "xmltooling-lite3_2D\0" @@ -82,7 +82,7 @@ #endif VALUE "PrivateBuild", "\0" VALUE "ProductName", "OpenSAML 3.2.1\0" - VALUE "ProductVersion", "3, 2, 1, 0\0" + VALUE "ProductVersion", "3, 2, 1, 3\0" VALUE "SpecialBuild", "\0" END END diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-3.2.3/xmltoolingtest/EncryptionTest.h new/xmltooling-3.2.4/xmltoolingtest/EncryptionTest.h --- old/xmltooling-3.2.3/xmltoolingtest/EncryptionTest.h 2023-01-09 17:08:53.000000000 +0100 +++ new/xmltooling-3.2.4/xmltoolingtest/EncryptionTest.h 2023-01-12 14:49:51.000000000 +0100 @@ -168,7 +168,7 @@ void testCipherReference() { - preEncrypted("BadKeyInfo/cipherReference.xml", true); + preEncrypted("BadKeyInfo/CipherReference.xml", true); } };