On Tue, 28 Jan 2020 08:42:50 +0000 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > On 2020-01-12 14:39, Ferenc Wágner wrote: > >> +xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium >> + >> + * [12dd825] New patches: DSA verification crashes OpenSSL on invalid >> + combinations of key content. >> + Particular KeyInfo combinations result in incomplete DSA key structures >> + that OpenSSL can't handle without crashing. In the case of Shibboleth >> + SP software this manifests as a crash in the shibd daemon. Exploitation >> + is believed to be possible only in deployments employing the PKIX trust >> + engine, which is generally recommended against. >> + The upstream patches backported from 2.0.2 apply analogous safeguards to >> + the RSA and ECDSA key handling as well. > > Please go ahead.
Uploaded. -- Thanks, Feri