Your message dated Fri, 29 Nov 2024 16:29:18 +0100 with message-id <[email protected]> and subject line Re: Bug#1074429: xml-security-c: CVE-2024-34580 has caused the Debian Bug report #1074429, regarding xml-security-c: CVE-2024-34580 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1074429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074429 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: xml-security-c X-Debbugs-CC: [email protected] Severity: important Tags: security Hi, The following vulnerability was published for xml-security-c. CVE-2024-34580[0]: | Apache XML Security for C++ through 2.0.4 implements the XML | Signature Syntax and Processing (XMLDsig) specification without | protection against an SSRF payload in a KeyInfo element. NOTE: the | supplier disputes this CVE Record on the grounds that they are | implementing the specification "correctly" and are not "at fault." https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md Not sure what to make out of this? It seems the use of xml-security-sec within Shibboleth continues to be supported, but otherwise the library is deemed deprecated, so maybe this should at least be made explicit in the package description? ` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34580 https://www.cve.org/CVERecord?id=CVE-2024-34580 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Am Fri, Jun 28, 2024 at 08:27:34PM +0000 schrieb Cantor, Scott: > TL;DR, > > This is not a vulnerability, it's a default that people don't like that > required a minor update to change, and that wasn't going to happen. The code > has been formally retired at Apache and forked for the Shibboleth Project's > use, and there will be some form of official indication of that at some point > later this summer. Thanks for the explanation and sorry for the late reply, catching up with some older mail. I've marked this a non issue in the Debian Security Tracker and will also close this bug. Cheers, Moritz
--- End Message ---
