Giuseppe Iuculano <iucul...@debian.org> writes: > the following CVE (Common Vulnerabilities & Exposures) id was > published for shibboleth-sp2.
> CVE-2009-3300[0]: > | Multiple cross-site scripting (XSS) vulnerabilities in the Identity > | Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the > | Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 > | Middleware Initiative Shibboleth allow remote attackers to inject > | arbitrary web script or HTML via URLs that are encountered in > | redirections, and appear in automatically generated forms. > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. The first updated package is currently sitting in NEW (and has been for some time). The sid update requires updates to xmltooling, opensaml2, and shibboleth-sp2 since the upstream solution also changes the library SONAME. That means xmltooling, opensaml2, and shibboleth-sp2 all have to clear NEW to resolve this bug for unstable. xmltooling has been uploaded. I'm going to stage the packages in my personal repository until they can get through NEW processing. We're evaluating whether we can patch shibboleth-sp2 in stable without changing the SONAME or requiring rebuilt versions of the supporting libraries. shibboleth-sp in stable and oldstable is also affected, and I hope to work on that soon. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org