-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 22 Feb 2018 14:55:42 CET Source: xmltooling Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source Version: 1.6.0-4+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wf...@debian.org> Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling7 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Changes: xmltooling (1.6.0-4+deb9u1) stretch-security; urgency=high . [ Russ Allbery ] * [4e7dec2] Remove myself from Uploaders . [ Ferenc Wágner ] * [2e5cad6] New patch fixing CVE-2018-0486: vulnerability to forged user attribute data. The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. https://shibboleth.net/community/advisories/secadv_20180112.txt CPPXT-127 - Block entity reference nodes during unmarshalling. https://issues.shibboleth.net/jira/browse/CPPXT-127 * [91c50ae] New patches fixing CVE-2018-0489: additional data forgery flaws. These flaws allow for changes to an XML document that do not break a digital signature but alter the user data passed through to applications enabling impersonation attacks and exposure of protected information. https://shibboleth.net/community/advisories/secadv_20180227.txt https://issues.shibboleth.net/jira/browse/CPPXT-128 The Add-disallowDoctype-to-parser-configuration.patch is not effective under Xerces 3.1 in stretch, but provides more generic protection under Xerces 3.2 against issues like CVE-2018-0486. It's included here for completeness and to avoid a conflict applying the CVE-2018-0489 patch. Checksums-Sha256: 1f4964f23fa88d604d4dca2ac8f994a689c31c9d6352e6f051f9ed2a61157bab 2491 xmltooling_1.6.0-4+deb9u1.dsc 06a4f61f9bd27a541079b252d2c21e238a5e01334aeda4010cde94b9d9cafe64 72976 xmltooling_1.6.0-4+deb9u1.debian.tar.xz bc491c49f9551e845018fadc4a462eb3a9d01157cf333a88e53c3407a7e163ca 10048 xmltooling_1.6.0-4+deb9u1_amd64.buildinfo e26a66cb10d767743c6af9a663fa3c7cb4dace55ec79cc91f9d8d528994af0b6 553346 xmltooling_1.6.0.orig.tar.bz2 Checksums-Sha1: fe8b36b6d73928a8f964c1d332e2e86dbbee5c4a 2491 xmltooling_1.6.0-4+deb9u1.dsc 265fdbd04be1234423e992e4c280b62fd3fe0042 72976 xmltooling_1.6.0-4+deb9u1.debian.tar.xz 13de71c24a38b85564e951dfeac8487f23f4e62c 10048 xmltooling_1.6.0-4+deb9u1_amd64.buildinfo c179745780c26e18b7d613536c25c1d45a09f8a3 553346 xmltooling_1.6.0.orig.tar.bz2 Files: 4af3a97f27a5d2a9305acb9a521a1aba 2491 libs extra xmltooling_1.6.0-4+deb9u1.dsc ec83fbaa544111e99f572505fce23617 72976 libs extra xmltooling_1.6.0-4+deb9u1.debian.tar.xz a9e302cc83e36250290b09eff159c452 10048 libs extra xmltooling_1.6.0-4+deb9u1_amd64.buildinfo 428e1d672952adf7ad0bee8ab3432dad 553346 libs extra xmltooling_1.6.0.orig.tar.bz2
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlqOzGgACgkQOsj3Fkd+ 2yNIyA/+PbqIppFPxu+8SjzJk0bCX7jwvbefBm1x0bG1WCL0tJavdaGUOT9OvFhW uihdwTRhLofr6LgcQ9mAVMSx3K0kSx9YFNCzv7DNepk7hCXb2XtC83cMYTUfjeDv KJNsQm8Erxdh3e9wUKBrBsbRjXE0/RWgMJ+rW6ezMicGaR/kduBrEtg+NMQY6LRZ 4ge/A/ynHMxfihkCDgnJTLGq0bn2Em8YQJt3xVOFLuOeHzzmzIzLxWhTXZw7VKX1 5wFS72h44s1DQf+PsCxi7yGv+oXammFrcZZpYmMzq0Vo2cQ0tT218CHVDp42b6rM FQOmP4sOhv4nvDU/IoUNCBYT7l0HOkEL4T/45FQe8uKFPvcQyzgXDPvDmAnIh7bo KUeYndoI4PPz2zw/1hYKHk8HSBvKtjfY2cjljSlqoKCcZgI3EiRBacWvCfTKn9p8 1dtfIYJT2AZZfPFXJWeZNKpC0Yq5xDqrgFZ3rDC5CGtZAm56fzLkKd1S+eR2v8Fl JGFQSA5YaSejhJcRoRZgBcA4v05KEBYayOfLMUymvp63BDxH5mURzECKZxTfhzom r9+h1jKXLx38fDGRjjZbNPIt63lU0+ONkBXQr8Ps0NN1ZVk+e49f6M4e4jFffkZ7 w+EwZtZ/VL+9i0nUzfBnqgZLOikB4wWY0XsUPY7hYdbq4g8XLKA= =NzOM -----END PGP SIGNATURE-----