Patch for focal copied from Debian buster's 3.0.4 security fix. Please
review! :)
** Patch added: "Patch for focal"
https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1926250/+attachment/5503831/+files/1-3.0.4+dfsg1-1ubuntu0.2.debdiff
--
You received this bug notification because
*** This bug is a security vulnerability ***
Public security bug reported:
Upstream advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the
Is there something missing from the proposed patch?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919419
Title:
Phishing vulnerability: Template generation allows external parameters
to override
Assigned CVE: 2021-28963
https://security-tracker.debian.org/tracker/CVE-2021-28963
For some reason, the "link to CVE" on the right rejects "2021-28963"...
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-28963
--
You received this bug notification because you are a member of
Patch for focal copied from Debian buster's 3.0.4 security fix.
** Description changed:
- Upstream has given advance warning that a security patch would be
- released on 2021-03-17 (USA time). See
- https://shibboleth.net/pipermail/users/2021-March/049488.html
-
- Details to be published at
+
** Bug watch added: Debian Bug tracker #985405
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985405
** Also affects: shibboleth-sp (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985405
Importance: Unknown
Status: Unknown
--
You received this bug notification
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919419
Title:
Template generation allows external parameters to override
source package was renamed shibboleth-sp2 -> shibboleth-sp
** Changed in: shibboleth-sp2 (Ubuntu Cosmic)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
source package was renamed shibboleth-sp2 -> shibboleth-sp
** Changed in: shibboleth-sp2 (Ubuntu Bionic)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
version in disco is the target one
** Changed in: shibboleth-sp (Ubuntu Cosmic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3
source package was renamed opensaml2 -> opensaml
** Changed in: opensaml2 (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3
source package was renamed opensaml2 -> opensaml
** Changed in: opensaml2 (Ubuntu Cosmic)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth
source package was renamed opensaml2 -> opensaml
** Changed in: opensaml2 (Ubuntu Bionic)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth
version in disco is the target one
** Changed in: opensaml (Ubuntu Cosmic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for
version in disco is the target one
** Changed in: xml-security-c (Ubuntu Bionic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth
version in disco is the target one
** Changed in: log4shib (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for bionic
version in disco is the target one
** Changed in: xml-security-c (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for
version in disco is the target one
** Changed in: xmltooling (Ubuntu Bionic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3
version in disco is the target one
** Changed in: log4shib (Ubuntu Cosmic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for
version in disco is the target one
** Changed in: xmltooling (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for
version in disco is the target one
** Changed in: shibboleth-resolver (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3
version in disco is the target one
** Changed in: xmltooling (Ubuntu Cosmic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3
version in disco is the target one
** Changed in: log4shib (Ubuntu Bionic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for
version in disco is the target one
** Changed in: xml-security-c (Ubuntu Cosmic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth
version in disco is the target one
** Changed in: shibboleth-resolver (Ubuntu Bionic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU:
version in disco is the target one
** Changed in: shibboleth-resolver (Ubuntu Cosmic)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU:
version in disco is the target one
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for bionic
To manage notifications about this bug go to:
On 16/04/2019 11.31, Robie Basak wrote:
>> Can you explain how the new soname is a problem? I think it
>> clearly separates the new and old libraries.
>
> We can't delete the old library from Bionic, so the new and old must
> exist concurrently. Therefore you can't just upload a replacement
>
Anyway, thank you very much Robie for your help so far! :D I really
appreciate it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for bionic
To manage
On 15/04/2019 16.51, Robie Basak wrote:
> I'm afraid that this is going to be too time consuming for me to
> review - there seem to be additional complications the more I look
> into it (eg. Cosmic and the new soname as you mention above). Based
> on previous experience I think that the technical
Upstream's release notes for this version are unfortunately empty, but
the git log contains:
commit 2962366d07003ac8edc8734417e7a5962c635686 (tag: 3.0.1, upstream/master,
origin/master, master)
Author: Scott Cantor
Date: Thu Feb 21 15:18:04 2019 -0500
Bump version.
config_win32.h
I've looked at the changes (git log) in opensaml2-tools and xml-
security-c-utils to find out whether the programs they provide had
changed, but apparently there are only internal changes, nothing
changing the CLI. The man pages didn't change either.
Neither the release notes for xml-security-c
Regarding #10:
> Usage of the libraries for other purposes is generally not supported.
"not supported" here means not supported by upstream developers -- i.e.
the Shibboleth project -- and isn't meant as a license to break other
packages in bionic.
--
You received this bug notification because
** Also affects: shibboleth-resolver (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
[Impact]
Bionic released with version 2 of the Shibboleth Service Provider (and
its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2
isn't compatible
> I cannot further comment on the impact upon Moonshot-related packages,
but I can ask their Debian maintainer if needed.
So I asked Sam Hartman on the pkg-shibboleth-devel list and he replied:
> So, there was a new release of shibboleth-resolver along with the 3.x SP.
> I'm not sure whether the
Hi Robie,
Thank you for taking the time to review this SRU. I've considered the
use cases of Shibboleth packages and searched for reverse dependencies
and here is what I can say.
All five source packages are maintained by Shibboleth project developers
as components of the Shibboleth Service
** Description changed:
[Impact]
Bionic released with version 2 of the Shibboleth Service Provider (and
its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2
isn't compatible with OpenSSL 1.1, only 1.0 (and earlier), and was
therefore shipped compiled against 1.0.
Public bug reported:
Please sync opensaml 3.0.1-1 (universe) from Debian unstable (main)
Changelog entries since current disco version 3.0.0-2:
opensaml (3.0.1-1) unstable; urgency=medium
* [d1daef5] Revert "Temporarily ignore build test failures"
* [792ec83] New upstream release: 3.0.1
** Tags added: bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for bionic
To manage notifications about this bug go to:
The backported packages install and upgrade cleanly on bionic, tested
with `piuparts -b /var/cache/pbuilder/base-bionic-amd64.tgz
--distribution=bionic --keep-sources-list --arch=amd64 -D ubuntu
--shell-on-error --single-changes-list
log4shib_2.0.0-2~ubuntu18.04.1_amd64.changes xml-security-
Package shibboleth-sp 3.0.3+dfsg1-1 from disco needs a revert from
debhelper compat level 12 to 11. No other changes are required to build
on bionic.
** Patch added: "shibboleth-sp_1-3.0.3+dfsg1-1~ubuntu18.04.1.debdiff"
Would someone please review and sponsor this SRU?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for bionic
To manage notifications about this bug go to:
Package opensaml 3.0.0-2 builds without changes on bionic, tested with
`backportpackage --destination=bionic --source=disco --build
--builder=cowbuilder --key=0x6965D453D81531AD opensaml`.
** Patch added: "opensaml_1-3.0.0-2~ubuntu18.04.1.debdiff"
Package xmltooling 3.0.4-1 from disco builds without changes on bionic,
tested with `backportpackage --destination=bionic --source=disco --build
--builder=cowbuilder --key=0x6965D453D81531AD xmltooling`.
** Patch added: "xmltooling_1-3.0.4-1~ubuntu18.04.1.debdiff"
Package xml-security-c 2.0.2-3 from disco builds without changes on
bionic, tested with `backportpackage --destination=bionic --source=disco
--build --builder=cowbuilder --key=0x6965D453D81531AD xml-security-c`
** Also affects: log4shib (Ubuntu)
Importance: Undecided
Status: New
**
Package log4shib 2.0.0.-2 from disco builds without changes on bionic,
tested with `backportpackage --destination=bionic --source=disco --build
--builder=cowbuilder --key=0x6965D453D81531AD log4shib`.
** Patch added: "log4shib_1-2.0.0-2~ubuntu18.04.1.debdiff"
Public bug reported:
[Impact]
Bionic released with version 2 of the Shibboleth Service Provider (and
its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2
isn't compatible with OpenSSL 1.1, only 1.0 (and earlier), and was
therefore shipped compiled against 1.0. This created a
Public bug reported:
Please sync shibboleth-sp 3.0.4+dfsg1-1 (universe) from Debian unstable
(main)
Changelog entries since current disco version 3.0.3+dfsg1-1:
shibboleth-sp (3.0.4+dfsg1-1) unstable; urgency=medium
* [f284741] New upstream release: 3.0.4
* [095e478] Refresh our patches
Thank you for your help Eduardo! :D
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1819912
Title:
CVE-2019-9628 XML parser class fails to trap exceptions on malformed
XML declaration
To manage
So I tested the following on bionic, xenial and trusty (amd64):
a) piuparts install-purge and install-upgrade-purge tests
b) In the corresponding Docker container:
1. Install the whole Shibboleth SPv2 from the distribution's repositories
apt install libapache2-mod-shib2 libxmltooling-dev
Hi Eduardo,
I downloaded the debs from bionic's amd64 build and successfully ran
piupart (install-purge and install-upgrade-purge tests) on them. Is that
the level of testing you expected? If yes, then I'll do the same with
debs for xenial and trusty.
--
You received this bug notification
Here is a patch for xmltooling in xenial. Can someone review and sponsor
it please?
** Patch added: "patch for xmltooling 1.5.6 in xenial"
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+attachment/5247756/+files/1-1.5.6-2ubuntu0.3.debdiff
--
You received this bug
52 matches
Mail list logo
