Accepted shibboleth-sp2 2.6.0+dfsg1-4+deb9u2 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Mar 2021 22:30:40 +0100
Source: shibboleth-sp2
Binary: libapache2-mod-shib2 libshibsp7 libshibsp-plugins libshibsp-dev libshibsp-doc shibboleth-sp2-common shibboleth-sp2-utils
Architecture: source
Version: 2.6.0+dfsg1-4+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libapache2-mod-shib2 - Federated web single sign-on system (Apache module)
libshibsp-dev - Federated web single sign-on system (development)
libshibsp-doc - Federated web single sign-on system (API docs)
libshibsp-plugins - Federated web single sign-on system (plugins)
libshibsp7 - Federated web single sign-on system (runtime)
shibboleth-sp2-common - Federated web single sign-on system (common files)
shibboleth-sp2-utils - Federated web single sign-on system (daemon and utilities)
Closes: 985405
Changes:
shibboleth-sp2 (2.6.0+dfsg1-4+deb9u2) stretch-security; urgency=high
.
* [9166b92] New patch: SSPCPP-922 - Add externalParameters option to Errors
element.
Fix a phishing vulnerability: Template generation allows external
parameters to override placeholders
The primitive template engine used to render error pages allows
replacement via query parameters also, though this is not a typical
need. Because of this feature, it's possible to cause the SP to
display some templates containing values supplied externally by URL
manipulation. Though the values are encoded to prevent script
injection, the content nevertheless appears to come from the server
and so would be interpreted as trustworthy, allowing email addresses,
logos, or support URLs to be manipulated by an attacker.
This update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled.
https://shibboleth.net/community/advisories/secadv_20210317.txt
https://issues.shibboleth.net/jira/browse/SSPCPP-922
Thanks to Scott Cantor (Closes: #985405)
Checksums-Sha1:
1c6ad8377205fbc1313b2bbd3bb5e11a2ba43ae5 2901 shibboleth-sp2_2.6.0+dfsg1-4+deb9u2.dsc
679ec7980f198a5d2aa25f3f2a864b6a939d5dcb 83940 shibboleth-sp2_2.6.0+dfsg1-4+deb9u2.debian.tar.xz
7141f2eba9a95a2eed561d766d7d63ac8406a34c 13471 shibboleth-sp2_2.6.0+dfsg1-4+deb9u2_amd64.buildinfo
Checksums-Sha256:
9c89e72f59dc8dadb12827017ed8fbfe19bba332db880fe9d4d216aac3d67051 2901 shibboleth-sp2_2.6.0+dfsg1-4+deb9u2.dsc
6cb5e0a78d6e18c113f99718aa31b8665170c1eb6d6301e82d1fb763093048b4 83940 shibboleth-sp2_2.6.0+dfsg1-4+deb9u2.debian.tar.xz
03ea80552ebe20d435fd085c1754e07c343c41b084c157c7586ef4803e743173 13471 shibboleth-sp2_2.6.0+dfsg1-4+deb9u2_amd64.buildinfo
Files:
f253b52fbb3244458667aa01272dd884 2901 web extra shibboleth-sp2_2.6.0+dfsg1-4+deb9u2.dsc
ab005c39a6e9355d3977a0311ea4073e 83940 web extra shibboleth-sp2_2.6.0+dfsg1-4+deb9u2.debian.tar.xz
10575078af09e4a5ee9030fb642b977c 13471 web extra shibboleth-sp2_2.6.0+dfsg1-4+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmBTzKIACgkQOsj3Fkd+
2yPpTg/9F3oWvyPAgvNeMkRSlD5cR2bqj+7O3GcPbBLakk0I06mHlgOmC8vWPoC5
ymelzAnh0I9VeL0A5kRiH8YdlthwLnqQ0Ohibt/pTIB1D2UWFHjHCI27MBfDvoZL
C4Ogqtg1hXxeNW6X3LrK4wJTqb6HFVM+KDWNvV4ikyy+RggEWMHzcFePr7NebZIu
qSRupc1jmUvc4GzPCWWDWpTtqwNRiAqC3oahHI9OeCUKMCb4kzZwISfCpxujotb2
EolyEap1wBjtnFBi+gypyzSoU8aDR1sOtMTGvUPHSjwApsFb0yy1Qbm9JlAoI5Lc
0DExpfvFXUwrkNPTRNeTgpX/R4+F55MXDzPwKyMmYpPyIsyKeJdbRoTWB7LuHwuk
SvhL23sUMKXQPtJ5BClUbZRJ44Gkdw/+DCBoKpFlix8nOnyBmzlXTBEmhHpM09++
7zlbxXyeMh7IgbUoqei5HtS0hK/Xt6nnmZVyfEETS9wnrR13bogGAbf1dCYTq1a0
IZFGWyaf3dPuYYva7BH0DgW9nONr1YlcT5a77yjUAT1aF3yxG9nNiA4gMZLVTo6i
kLtjfbd3A7HbyuTdrkzVy7D01rzACD4c/ALUXxP02JsA68GELL/rJwrWV2GE62yZ
PWIPZJH2WPp54qhkwYRp+Kfrq9yD4jGte7AEyuvEiwWt2zW3c3A=
=dx7z
-----END PGP SIGNATURE-----