Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
Salvatore Bonaccorsowrites: > On Thu, Sep 24, 2015 at 08:54:08AM +0200, Ferenc Wagner wrote: > >> Salvatore Bonaccorso writes: >> >>> Any news for the fix to unstable for CVE-2015-0851? >> >> Sorry, I got bogged down in another department. It isn't forgotten, >> though, I expect to tend to it in a couple of days. > > *ping*? ;-) I clearly failed to live up to my promise. Sorry for that. Things are shaping up, though, I really expect to start packaging the newest stack next week latest. (That will take care of the C++ transition, too.) -- Regards, Feri.
Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
Hi, On Thu, Sep 24, 2015 at 08:54:08AM +0200, Ferenc Wagner wrote: > Salvatore Bonaccorsowrites: > > > Any news for the fix to unstable for CVE-2015-0851? > > Sorry, I got bogged down in another department. It isn't forgotten, > though, I expect to tend to it in a couple of days. *ping*? ;-) Regards, Salvatore
Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
Salvatore Bonaccorsowrites: > Any news for the fix to unstable for CVE-2015-0851? Sorry, I got bogged down in another department. It isn't forgotten, though, I expect to tend to it in a couple of days. -- Regards, Feri.
Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
Hi Any news for the fix to unstable for CVE-2015-0851? Regards, Salvatore
Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
Source: xmltooling Version: 1.3.3-2 Severity: serious Tags: security patch upstream Shibboleth Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service. Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5) are available that correct this bug. This vulnerability has been assigned CVE-2015-0851. Please mention the CVE ID in changelog when fixing this issue. References: * Bulletin http://shibboleth.net/community/advisories/secadv_20150721.txt * Fixing commit (xmltooling) https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 Cheers, Luca -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
We're already working on this with the Security Team. I wonder if I should prepare new packages (for {wheezy,jessie}-security) with the changelogs closing this bug. Or should it be closed by the unstable upload of 1.5.5? The proposed security uploads can be found at http://apt.niif.hu/CVE-2015-0851/. -- Regards, Feri. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)
On Tuesday 28 July 2015 12:15:43 Ferenc Wagner wrote: We're already working on this with the Security Team. I wonder if I should prepare new packages (for {wheezy,jessie}-security) with the changelogs closing this bug. Or should it be closed by the unstable upload of 1.5.5? The proposed security uploads can be found at http://apt.niif.hu/CVE-2015-0851/. Ok, just follow up with the Security Team then, they'll point you through the correct path. I just filed this bug today as I realized the issue has been initially labeled with a wrong CVE and seemed to be untracked. Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S.| lucab (AT) debian.org `. `'` | GPG: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer signature.asc Description: This is a digitally signed message part.