subject:"Bug#793855\: DoS, Shibboleth SP software crashes on well\-formed but invalid XML \(CVE\-2015\-0851\)"

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-11-04 Thread Ferenc Wagner

Salvatore Bonaccorso  writes:

> On Thu, Sep 24, 2015 at 08:54:08AM +0200, Ferenc Wagner wrote:
>
>> Salvatore Bonaccorso  writes:
>> 
>>> Any news for the fix to unstable for CVE-2015-0851?
>> 
>> Sorry, I got bogged down in another department.  It isn't forgotten,
>> though, I expect to tend to it in a couple of days.
>
> *ping*? ;-)

I clearly failed to live up to my promise.  Sorry for that.  Things are
shaping up, though, I really expect to start packaging the newest stack
next week latest.  (That will take care of the C++ transition, too.)
-- 
Regards,
Feri.

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-10-25 Thread Salvatore Bonaccorso

Hi,

On Thu, Sep 24, 2015 at 08:54:08AM +0200, Ferenc Wagner wrote:
> Salvatore Bonaccorso  writes:
> 
> > Any news for the fix to unstable for CVE-2015-0851?
> 
> Sorry, I got bogged down in another department.  It isn't forgotten,
> though, I expect to tend to it in a couple of days.

*ping*? ;-)

Regards,
Salvatore

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-09-24 Thread Ferenc Wagner

Salvatore Bonaccorso  writes:

> Any news for the fix to unstable for CVE-2015-0851?

Sorry, I got bogged down in another department.  It isn't forgotten,
though, I expect to tend to it in a couple of days.
-- 
Regards,
Feri.

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-09-19 Thread Salvatore Bonaccorso

Hi

Any news for the fix to unstable for CVE-2015-0851?

Regards,
Salvatore

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-07-28 Thread Luca Bruno

Source: xmltooling
Version: 1.3.3-2
Severity: serious
Tags: security patch upstream

Shibboleth Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.

This vulnerability has been assigned CVE-2015-0851.
Please mention the CVE ID in changelog when fixing this issue.

References:
 * Bulletin
   http://shibboleth.net/community/advisories/secadv_20150721.txt
 * Fixing commit (xmltooling)
   
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900

Cheers, Luca


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-07-28 Thread Ferenc Wagner

We're already working on this with the Security Team.  I wonder if I
should prepare new packages (for {wheezy,jessie}-security) with the
changelogs closing this bug.  Or should it be closed by the unstable
upload of 1.5.5?  The proposed security uploads can be found at
http://apt.niif.hu/CVE-2015-0851/.
-- 
Regards,
Feri.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

2015-07-28 Thread Luca Bruno

On Tuesday 28 July 2015 12:15:43 Ferenc Wagner wrote:
 We're already working on this with the Security Team.  I wonder if I
 should prepare new packages (for {wheezy,jessie}-security) with the
 changelogs closing this bug.  Or should it be closed by the unstable
 upload of 1.5.5?  The proposed security uploads can be found at
 http://apt.niif.hu/CVE-2015-0851/.

Ok, just follow up with the Security Team then, they'll point you through the 
correct path.

I just filed this bug today as I realized the issue has been initially labeled 
with a wrong CVE and seemed to be untracked.

Cheers, Luca

-- 
 .''`.  ** Debian GNU/Linux **  | Luca Bruno (kaeso)
: :'  :   The Universal O.S.| lucab (AT) debian.org
`. `'`  | GPG: 0xBB1A3A854F3BBEBF
  `- http://www.debian.org  | Debian GNU/Linux Developer


signature.asc
Description: This is a digitally signed message part.

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

7 matches

Site Navigation

Mail list logo

Footer information