Accepted xml-security-c 1.7.3-4+deb9u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Dec 2018 11:45:41 +0100
Source: xml-security-c
Binary: libxml-security-c17v5 libxml-security-c-dev xml-security-c-utils
Architecture: source
Version: 1.7.3-4+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities)
Closes: 913136
Changes:
xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
.
* [12dd825] New patches: DSA verification crashes OpenSSL on invalid
combinations of key content.
Particular KeyInfo combinations result in incomplete DSA key structures
that OpenSSL can't handle without crashing. In the case of Shibboleth
SP software this manifests as a crash in the shibd daemon. Exploitation
is believed to be possible only in deployments employing the PKIX trust
engine, which is generally recommended against.
The upstream patches backported from 2.0.2 apply analogous safeguards to
the RSA and ECDSA key handling as well.
Upstream bug: https://issues.apache.org/jira/browse/SANTUARIO-496
CVE: not assigned
Thanks to Scott Cantor (Closes: #913136)
Checksums-Sha1:
2c639df51781cdf4e80d85e4fa209d773924ec97 2336 xml-security-c_1.7.3-4+deb9u2.dsc
6a3639388f0753a6609e9e73185f7c8f5b51123f 44616 xml-security-c_1.7.3-4+deb9u2.debian.tar.xz
f46ec85984a85d3d566af9dee7c12299c5bbc8b8 8227 xml-security-c_1.7.3-4+deb9u2_amd64.buildinfo
Checksums-Sha256:
16a9ef4bc97669f983a2a6a55b8c1ec72411626e8703679040ec9284744613a0 2336 xml-security-c_1.7.3-4+deb9u2.dsc
32857112f5e7f9749942bb3dda48b95e0ebf2dd641eb9d722a05df91bd154db3 44616 xml-security-c_1.7.3-4+deb9u2.debian.tar.xz
26b9c4e41efc2d2f750ee4659f9981f1e6219226d46d35b9e6d156e7307ac0f8 8227 xml-security-c_1.7.3-4+deb9u2_amd64.buildinfo
Files:
a8a3f91717e40cc211f2d98238dfa741 2336 libs extra xml-security-c_1.7.3-4+deb9u2.dsc
09f9989d01f25072fc9ae346c9229695 44616 libs extra xml-security-c_1.7.3-4+deb9u2.debian.tar.xz
eb6d896be8ed30de26512aeca464e662 8227 libs extra xml-security-c_1.7.3-4+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAl4bLacACgkQOsj3Fkd+
2yMiQQ/+Kck8qHXaflQW349w2Obg7SL4Ctv1LY1LJmT+u18DnP6wjZFIdIGYuEWw
kaR6mnjma8uQGEVYAZJd+MQbcEbtaRsjAz0EHgApmlMZXVvcA510FGJAFmklGydq
wjOxd6oMR12KqRPPeElM91ci1/7iKfwC30WNVTOIDCv4c4XTF+9HkZQuG16yPzM/
h5F1y/H3dVbTdn8W4iDLzN5xr2N9sVTxoIUn2qANwSHxTyMCSYrYPLuyKRmj5CBD
QX+OPKlI6Gfq1mLGu3BkAtNMzPBjEq/joKM9AXQv0wL4dOuFFFKgRS2y5n8BHMlK
Q45DXVcdXdPbQv2Z3Zs4j7aQsVWufOmknF/YvGH3TDhNZQsFwBQwwqQZlxUoqiC1
hd2gEbTos/fida6eXr2H9NzLpWNeBbLTU+h065BO0T/QgiP1357VadRiC+1xP8bn
Xwe6nsgY5cxi3mJDXvK0eNachHbdIK926WlvtxnWXs3aWlzbN5HoNgvdWJLmALu1
7dNoVJBnFGXpG63xyVyK/3SKPOy5ZHdGSl2yjYhUe9PXX5GhqQqXg96FUou3dSph
OqKCv16Cj8pY7hCYWsv0U9DWYDykXVkJDG1XNeiygU+rHSnMMj6oBAtHuLszFr0I
K3xWFPSxsKvp2SMdYEPkk8gL1Cm3gdB8T8W2iebdcBHqtj8kexw=
=7/nX
-----END PGP SIGNATURE-----