Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xmltooling for openSUSE:Factory
checked in at 2023-06-22 23:26:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xmltooling (Old)
and /work/SRC/openSUSE:Factory/.xmltooling.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xmltooling"
Thu Jun 22 23:26:40 2023 rev:18 rq:1094638 version:3.2.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/xmltooling/xmltooling.changes 2023-01-26
14:12:04.916788563 +0100
+++ /work/SRC/openSUSE:Factory/.xmltooling.new.15902/xmltooling.changes
2023-06-22 23:27:25.914261043 +0200
@@ -1,0 +2,7 @@
+Wed Jun 21 12:33:30 UTC 2023 - Danilo Spinella <danilo.spine...@suse.com>
+
+- Update to 3.2.4:
+ * No changelog provided
+- Fix server-side request forgery (SSRF) vulnerability, bsc#1212359
+
+-------------------------------------------------------------------
Old:
----
xmltooling-3.2.3.tar.bz2
xmltooling-3.2.3.tar.bz2.asc
New:
----
xmltooling-3.2.4.tar.bz2
xmltooling-3.2.4.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xmltooling.spec ++++++
--- /var/tmp/diff_new_pack.aUhwjx/_old 2023-06-22 23:27:26.674264919 +0200
+++ /var/tmp/diff_new_pack.aUhwjx/_new 2023-06-22 23:27:26.682264960 +0200
@@ -20,7 +20,7 @@
%define opensaml_version 3.2.1
%define pkgdocdir %{_docdir}/%{name}
Name: xmltooling
-Version: 3.2.3
+Version: 3.2.4
Release: 0
Summary: OpenSAML XML Processing library
License: Apache-2.0
++++++ xmltooling-3.2.3.tar.bz2 -> xmltooling-3.2.4.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/config_win32.h
new/xmltooling-3.2.4/config_win32.h
--- old/xmltooling-3.2.3/config_win32.h 2023-01-09 15:39:57.000000000 +0100
+++ new/xmltooling-3.2.4/config_win32.h 2023-06-06 20:50:14.000000000 +0200
@@ -106,13 +106,13 @@
#define PACKAGE_NAME "xmltooling"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "xmltooling 3.2.3"
+#define PACKAGE_STRING "xmltooling 3.2.4"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "xmltooling"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "3.2.3"
+#define PACKAGE_VERSION "3.2.4"
/* Define to the necessary symbol if this constant uses a non-standard name on
your system. */
@@ -125,7 +125,7 @@
/* #undef TM_IN_SYS_TIME */
/* Version number of package */
-#define VERSION "3.2.3"
+#define VERSION "3.2.4"
/* Define if you wish to disable XML-Security-dependent features. */
/* #undef XMLTOOLING_NO_XMLSEC */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/configure
new/xmltooling-3.2.4/configure
--- old/xmltooling-3.2.3/configure 2023-01-09 15:46:55.000000000 +0100
+++ new/xmltooling-3.2.4/configure 2023-06-06 20:53:01.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for xmltooling 3.2.3.
+# Generated by GNU Autoconf 2.71 for xmltooling 3.2.4.
#
# Report bugs to <https://shibboleth.atlassian.net/jira>.
#
@@ -621,8 +621,8 @@
# Identity of this package.
PACKAGE_NAME='xmltooling'
PACKAGE_TARNAME='xmltooling'
-PACKAGE_VERSION='3.2.3'
-PACKAGE_STRING='xmltooling 3.2.3'
+PACKAGE_VERSION='3.2.4'
+PACKAGE_STRING='xmltooling 3.2.4'
PACKAGE_BUGREPORT='https://shibboleth.atlassian.net/jira'
PACKAGE_URL=''
@@ -1489,7 +1489,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures xmltooling 3.2.3 to adapt to many kinds of systems.
+\`configure' configures xmltooling 3.2.4 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1560,7 +1560,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of xmltooling 3.2.3:";;
+ short | recursive ) echo "Configuration of xmltooling 3.2.4:";;
esac
cat <<\_ACEOF
@@ -1729,7 +1729,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-xmltooling configure 3.2.3
+xmltooling configure 3.2.4
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2308,7 +2308,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by xmltooling $as_me 3.2.3, which was
+It was created by xmltooling $as_me 3.2.4, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3796,7 +3796,7 @@
# Define the identity of the package.
PACKAGE='xmltooling'
- VERSION='3.2.3'
+ VERSION='3.2.4'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -23105,7 +23105,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by xmltooling $as_me 3.2.3, which was
+This file was extended by xmltooling $as_me 3.2.4, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23173,7 +23173,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-xmltooling config.status 3.2.3
+xmltooling config.status 3.2.4
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/configure.ac
new/xmltooling-3.2.4/configure.ac
--- old/xmltooling-3.2.3/configure.ac 2023-01-09 15:39:33.000000000 +0100
+++ new/xmltooling-3.2.4/configure.ac 2023-06-06 20:49:50.000000000 +0200
@@ -1,6 +1,6 @@
# Process this file with autoreconf
AC_PREREQ([2.50])
-AC_INIT([xmltooling],[3.2.3],[https://shibboleth.atlassian.net/jira],[xmltooling])
+AC_INIT([xmltooling],[3.2.4],[https://shibboleth.atlassian.net/jira],[xmltooling])
AC_CONFIG_SRCDIR(xmltooling)
AC_CONFIG_AUX_DIR(build-aux)
AC_CONFIG_MACRO_DIR(m4)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/Makefile.am
new/xmltooling-3.2.4/xmltooling/Makefile.am
--- old/xmltooling-3.2.3/xmltooling/Makefile.am 2023-01-09 15:41:12.000000000
+0100
+++ new/xmltooling-3.2.4/xmltooling/Makefile.am 2023-06-06 20:51:26.000000000
+0200
@@ -229,7 +229,7 @@
$(PTHREAD_LIBS) \
$(dlopen_LIBS)
-AM_LDFLAGS = -version-info 10:3:0
+AM_LDFLAGS = -version-info 10:4:0
libxmltooling_lite_la_SOURCES = \
${common_sources}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/Makefile.in
new/xmltooling-3.2.4/xmltooling/Makefile.in
--- old/xmltooling-3.2.3/xmltooling/Makefile.in 2023-01-09 15:46:57.000000000
+0100
+++ new/xmltooling-3.2.4/xmltooling/Makefile.in 2023-06-06 20:53:00.000000000
+0200
@@ -916,7 +916,7 @@
$(PTHREAD_LIBS) \
$(dlopen_LIBS)
-AM_LDFLAGS = -version-info 10:3:0
+AM_LDFLAGS = -version-info 10:4:0
libxmltooling_lite_la_SOURCES = \
${common_sources}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/XMLToolingConfig.cpp
new/xmltooling-3.2.4/xmltooling/XMLToolingConfig.cpp
--- old/xmltooling-3.2.3/xmltooling/XMLToolingConfig.cpp 2018-07-10
03:00:14.000000000 +0200
+++ new/xmltooling-3.2.4/xmltooling/XMLToolingConfig.cpp 2023-06-06
22:17:55.000000000 +0200
@@ -75,6 +75,7 @@
# include <xsec/framework/XSECException.hpp>
# include <xsec/framework/XSECProvider.hpp>
# include <xsec/transformers/TXFMBase.hpp>
+# include <xsec/framework/XSECURIResolver.hpp>
#endif
using namespace soap11;
@@ -116,7 +117,7 @@
#endif
static ptr_vector<Mutex> g_openssl_locks;
- extern "C" void openssl_locking_callback(int mode,int n,const char
*file,int line)
+ extern "C" void openssl_locking_callback(int mode, int n, const char *,
int)
{
if (mode & CRYPTO_LOCK)
g_openssl_locks[n].lock();
@@ -144,7 +145,7 @@
void setInput(TXFMBase *newInput) {
input = newInput;
if (newInput->getOutputType() != TXFMBase::BYTE_STREAM)
- throw
XSECException(XSECException::TransformInputOutputFail, "OutputLog transform
requires BYTE_STREAM input");
+ throw XSECException(XSECException
::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
keepComments = input->getCommentsStatus();
m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n");
}
@@ -175,6 +176,27 @@
return nullptr;
}
+ class BlockingXSECURIResolver : public XSECURIResolver {
+ public:
+ BlockingXSECURIResolver() :
m_log(Category::getInstance(XMLTOOLING_LOGCAT ".XMLSecurity")) {}
+ ~BlockingXSECURIResolver() {}
+
+ BinInputStream* resolveURI(const XMLCh* uri) {
+ auto_ptr_char temp(uri);
+ m_log.warn("blocked remote resource retrieval by xml-security-c
library: %s",
+ temp.get() ? temp.get() : "(none)");
+ return nullptr;
+ }
+
+ void setBaseURI(const XMLCh* uri) {}
+
+ XSECURIResolver* clone() {
+ return new BlockingXSECURIResolver();
+ }
+
+ private:
+ Category& m_log;
+ };
#endif
#ifdef WIN32
@@ -400,6 +422,7 @@
XSECPlatformUtils::Initialise();
XSECPlatformUtils::SetReferenceLoggingSink(TXFMOutputLogFactory);
m_xsecProvider.reset(new XSECProvider());
+ m_xsecProvider->setDefaultURIResolver(new BlockingXSECURIResolver());
log.debug("XML-Security %s initialization complete",
XSEC_FULLVERSIONDOT);
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/xmltooling-3.2.3/xmltooling/util/CurlURLInputStream.cpp
new/xmltooling-3.2.4/xmltooling/util/CurlURLInputStream.cpp
--- old/xmltooling-3.2.3/xmltooling/util/CurlURLInputStream.cpp 2019-03-08
15:44:44.000000000 +0100
+++ new/xmltooling-3.2.4/xmltooling/util/CurlURLInputStream.cpp 2023-06-06
23:01:04.000000000 +0200
@@ -79,7 +79,11 @@
return nmemb;
string* cacheTag = reinterpret_cast<string*>(stream);
const char* hdr = reinterpret_cast<char*>(ptr);
- if (strncmp(hdr, "ETag:", 5) == 0) {
+#ifdef HAVE_STRCASECMP
+ if (!strncasecmp(hdr, "Etag:", 5)) {
+#else
+ if (!strnicmp(hdr, "Etag:", 5)) {
+#endif
hdr += 5;
size_t remaining = nmemb - 5;
// skip leading spaces
@@ -105,7 +109,11 @@
if (!cacheTag->empty())
*cacheTag = "If-None-Match: " + *cacheTag;
}
- else if (cacheTag->empty() && strncmp(hdr, "Last-Modified:", 14) == 0)
{
+#ifdef HAVE_STRCASECMP
+ else if (cacheTag->empty() && !strncasecmp(hdr, "Last-Modified:", 14))
{
+#else
+ else if (cacheTag->empty() && !strnicmp(hdr, "Last-Modified:", 14)) {
+#endif
hdr += 14;
size_t remaining = nmemb - 14;
// skip leading spaces
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/version.h
new/xmltooling-3.2.4/xmltooling/version.h
--- old/xmltooling-3.2.3/xmltooling/version.h 2023-01-09 15:40:46.000000000
+0100
+++ new/xmltooling-3.2.4/xmltooling/version.h 2023-06-06 20:50:23.000000000
+0200
@@ -44,7 +44,7 @@
#define XMLTOOLING_VERSION_MAJOR 3
#define XMLTOOLING_VERSION_MINOR 2
-#define XMLTOOLING_VERSION_REVISION 3
+#define XMLTOOLING_VERSION_REVISION 4
/** DO NOT MODIFY BELOW THIS LINE */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/xmltooling/xmltooling.rc
new/xmltooling-3.2.4/xmltooling/xmltooling.rc
--- old/xmltooling-3.2.3/xmltooling/xmltooling.rc 2023-01-09
15:40:34.000000000 +0100
+++ new/xmltooling-3.2.4/xmltooling/xmltooling.rc 2023-06-06
20:51:11.000000000 +0200
@@ -28,8 +28,8 @@
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,2,3,0
- PRODUCTVERSION 3,2,3,0
+ FILEVERSION 3,2,4,0
+ PRODUCTVERSION 3,2,4,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -51,7 +51,7 @@
#else
VALUE "FileDescription", "OpenSAML XMLTooling Library\0"
#endif
- VALUE "FileVersion", "3, 2, 3, 0\0"
+ VALUE "FileVersion", "3, 2, 4, 0\0"
#ifdef XMLTOOLING_LITE
#ifdef _DEBUG
VALUE "InternalName", "xmltooling-lite3_2D\0"
@@ -82,7 +82,7 @@
#endif
VALUE "PrivateBuild", "\0"
VALUE "ProductName", "OpenSAML 3.2.1\0"
- VALUE "ProductVersion", "3, 2, 1, 0\0"
+ VALUE "ProductVersion", "3, 2, 1, 3\0"
VALUE "SpecialBuild", "\0"
END
END
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xmltooling-3.2.3/xmltoolingtest/EncryptionTest.h
new/xmltooling-3.2.4/xmltoolingtest/EncryptionTest.h
--- old/xmltooling-3.2.3/xmltoolingtest/EncryptionTest.h 2023-01-09
17:08:53.000000000 +0100
+++ new/xmltooling-3.2.4/xmltoolingtest/EncryptionTest.h 2023-01-12
14:49:51.000000000 +0100
@@ -168,7 +168,7 @@
void testCipherReference()
{
- preEncrypted("BadKeyInfo/cipherReference.xml", true);
+ preEncrypted("BadKeyInfo/CipherReference.xml", true);
}
};
