Your message dated Sat, 24 Jun 2023 14:33:04 +0000 with message-id <e1qd4k0-005zxf...@fasolo.debian.org> and subject line Bug#1037948: fixed in xmltooling 3.2.3-1+deb12u1 has caused the Debian Bug report #1037948, regarding xmltooling: Parsing of KeyInfo elements can cause remote resource access to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1037948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037948 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xmltooling Severity: important Tags: patch upstream security Shibboleth Service Provider Security Advisory [12 June 2023] An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability. Parsing of KeyInfo elements can cause remote resource access. ============================================================= Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. This issue is *not* specific to the V3 XMLTooling software and is believed to impact all versions prior to V3.2.4. Recommendations =============== Update to V3.2.4 or later of the XMLTooling library, which is now available. Note that on Linux and similar platforms, upgrading this component will require restarting the shibd process to correct the bug. The updated version of the library has been included in a V3.4.1.3 patch release of the Service Provider software on Windows. Other Notes =========== The xmltooling git commit containing the fix for this issue is 6080f6343f98fec085bc0fd746913ee418cc9d30 and may be in general terms applicable to V2 of the library. Credits ======= Juriën de Jong, an independent security researcher in the Netherlands URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20230612.txt
--- End Message ---
--- Begin Message ---Source: xmltooling Source-Version: 3.2.3-1+deb12u1 Done: Ferenc Wágner <wf...@debian.org> We believe that the bug you reported is fixed in the latest version of xmltooling, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1037...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ferenc Wágner <wf...@debian.org> (supplier of updated xmltooling package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 14 Jun 2023 18:52:03 +0200 Source: xmltooling Architecture: source Version: 3.2.3-1+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@alioth-lists.debian.net> Changed-By: Ferenc Wágner <wf...@debian.org> Closes: 1037948 Changes: xmltooling (3.2.3-1+deb12u1) bookworm-security; urgency=high . * [9e43891] New patch: CPPXT-157 - Install blocking URI resolver into Santuario. Fix a denial of service vulnerability: Parsing of KeyInfo elements can cause remote resource access. Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. Thanks to Scott Cantor for the fix. (Closes: #1037948) Checksums-Sha1: 3591432fe34bf18216c181fa802ef15a61892d9e 2822 xmltooling_3.2.3-1+deb12u1.dsc cf8f73d5592e71c4ebabb8c6f93a4d8db3e42081 620767 xmltooling_3.2.3.orig.tar.bz2 9327a0d4f15477d8661813b1f69e184ed023c2ec 833 xmltooling_3.2.3.orig.tar.bz2.asc fe92a349ede365171316d085d10234ad3617fa1b 19052 xmltooling_3.2.3-1+deb12u1.debian.tar.xz 8ba5f046c2fd81bb302a73843e86348d3fccd181 7156 xmltooling_3.2.3-1+deb12u1_source.buildinfo Checksums-Sha256: c72c9fdac41ed7058c6da1375d731daae31b503c8f0b5fee49d3a526d8274f91 2822 xmltooling_3.2.3-1+deb12u1.dsc 95b8296ffb1facd86eaa9f24d4a895a7c55a3cd838450b4d20bc1651fdf45132 620767 xmltooling_3.2.3.orig.tar.bz2 4f2107f7c3810bb37660bc9ce4ad79a4b9b1892247020ae4c201fe8cfe33b903 833 xmltooling_3.2.3.orig.tar.bz2.asc 72abed1f896dd3998b9a7efd18b0cccd6c9d6b9876281bb8e8dd95ca329cd38c 19052 xmltooling_3.2.3-1+deb12u1.debian.tar.xz 57d9d867bb72d8844a223dab78d5b4ac2fbf40f180a240a51ce69bb5c7a7700c 7156 xmltooling_3.2.3-1+deb12u1_source.buildinfo Files: 9fb7a16382b796df025a6e4cbc5435ea 2822 libs optional xmltooling_3.2.3-1+deb12u1.dsc f5920350ee964a4c38c566394894f09b 620767 libs optional xmltooling_3.2.3.orig.tar.bz2 b5a5cb6e1670d73cb8219d8f60d66ff0 833 libs optional xmltooling_3.2.3.orig.tar.bz2.asc 0fa0a36e297474767b3d51f130a7bd8d 19052 libs optional xmltooling_3.2.3-1+deb12u1.debian.tar.xz b3e9d77d97276466a01b39cea4f391e7 7156 libs optional xmltooling_3.2.3-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmSOKG4RHHdmZXJpQGRl Ymlhbi5vcmcACgkQOsj3Fkd+2yMCyxAAlPx9SE4eRmvbKinGexuAMn8I5cXLnaVf WCob0wPAXfQggssdHvELDwFxV3JljqzeLMWjHWUrCEs/wQi35ZL4kELTVdftBeZE 7mw4mXETTmImrP5ZGFX7l28EZuhNezNs7MvI581udk5xKTJICUyFy01+FvK2q7vA 9onsxNLDNpeg7ux3/GCbmbB/EWo3uRXK9gcXv4jipEokeHp0oYrksrX6VC+xMZ+z v0fOJ8MP7h/TMEX3rarfBE3Tq+glbPLwZYE1L8SDNI23v4k+oLJqZ881uX2w9f7e 0c1VwqjidX9m5gjk1CbEbQrs/ZRKw4P5kBG70FOputIC3CSitAN/YTsBHugVFAfR y7ex7vZi+na/Fm7tZVrKVUVVK/8NIuSjJLfFTyVbjTg6Hq/ikJz+Yd0wxr5d/zEi ulFSqTHjdD4n4jzvfcEZkslshJu0RrUNtj6NEXHRh/k6Yv78ZsmuFSKpBZkpUusR 70vrcFOaKGdzcwkSTwLrtRelY2p5jf5X91m2I//vpvgmmg3KyQpJENEObk0YMzlt K8vPI+l1YKA6S+nEELl8J39jDsvBwS6mx8awNQpaZGubwRcKZzWNXUk0Z1hZNyDF j1QGPj/I9Aag8pNGG6S6u2QdG0FHagFqupmvktHlCsxLJFqcSjQ4WH+Epnq6XZVY 3YFZKu2qrBw= =5aNx -----END PGP SIGNATURE-----
--- End Message ---
