Accepted xmltooling 3.2.4-1 (source) into unstable
- To: debian-devel-changes@lists.debian.org
- Subject: Accepted xmltooling 3.2.4-1 (source) into unstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 14 Jun 2023 20:51:42 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: xmltooling_3.2.4-1_source.changes
- Debian-source: xmltooling
- Debian-suite: unstable
- Debian-version: 3.2.4-1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=oUZuL3XjjtPzjzOhw8+xo7JOIUFOgbURssIMb90a12M=; b=dFQlTgI4oHNUNalHaZc6bJmIgR R/DX+4i72EsjxVOk4/N35tQsKgDzH371QvWxfUCvEQEbWHBayq03d31pmLdjG1Ggsaair/bEWN+R6 NsDsvbEOcmVaR6I1bJSPb8ADTcmbmKbtRxZhIa4e9wjEfczjefiuqQ1UnsxWWeGs12YVKBA3IUyfx NaWKj+MFbC8Fwm8LQaUbHyIcVsFkhyEbEAwQrq5U84hldfJKVdyQJaze9JAYTqdiidinunVTi40P+ ckUlR6yiQ5QytbERivTjhCR6Mx5IbFBRXmh9Y98cJOZPTrCwrBprsdXyCeyJay4a8OQmh2T2CoBH9 iWZkXm6A==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1q9XSw-00AaFN-DM@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 14 Jun 2023 22:04:20 +0200
Source: xmltooling
Architecture: source
Version: 3.2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 1037948
Changes:
xmltooling (3.2.4-1) unstable; urgency=medium
.
* [f89bdd8] New upstream release: 3.2.4
SECURITY: corrects a server-side request forgery (SSRF) vulnerability.
From https://shibboleth.net/community/advisories/secadv_20230612.txt:
# Parsing of KeyInfo elements can cause remote resource access
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future. (Closes: #1037948)
* [79533dd] Delete upstreamed patch
* [6ae406d] Remove Etienne Dysli Metref from Uploaders.
Thanks for your work, Etienne, and best wishes for your future
endeavors!
Checksums-Sha1:
3ed1e161830938eafd7c589dcade9f0d56626ec6 2735 xmltooling_3.2.4-1.dsc
f7aa0a567a8ee8a0f5d580cca26f47c2119f5516 621120 xmltooling_3.2.4.orig.tar.bz2
2603f8e895cda504eb25abb76c473a1fd4de8572 833 xmltooling_3.2.4.orig.tar.bz2.asc
2d4925aae5176e456550eac5c1467307a4adffe2 17796 xmltooling_3.2.4-1.debian.tar.xz
20fba380951405ce3e830e68e87e1ebbc3ab0538 10663 xmltooling_3.2.4-1_amd64.buildinfo
Checksums-Sha256:
4edc74ec811a553137450746453e7fb97f3fce9ab9263de8e26b4df63e291cbd 2735 xmltooling_3.2.4-1.dsc
92db9b52f28f854ba2b3c3b5721dc18c8bd885c1e0d9397f0beb3415e88e3845 621120 xmltooling_3.2.4.orig.tar.bz2
d2019312f4b934c17eaa3654e993599f61854d775c44f1b84ef1098e6c96a343 833 xmltooling_3.2.4.orig.tar.bz2.asc
6f2a941e7055f047f9434a52c4af857275403889b6aa5aa4e661c6865cb36b1f 17796 xmltooling_3.2.4-1.debian.tar.xz
aece4b21618009f1aaa004658cc5f94d1b0095da6801e5cfe223387b0cbd6909 10663 xmltooling_3.2.4-1_amd64.buildinfo
Files:
aa0851d18835d107f28111d3f1faed07 2735 libs optional xmltooling_3.2.4-1.dsc
e7cfaa37c783ef29511caf5131e76ede 621120 libs optional xmltooling_3.2.4.orig.tar.bz2
23e8d402a386e38980260181818d9ce3 833 libs optional xmltooling_3.2.4.orig.tar.bz2.asc
bb5123f49143b4a2da1d4f7429025d6e 17796 libs optional xmltooling_3.2.4-1.debian.tar.xz
1398595a32d3079a8a22718306ac626c 10663 libs optional xmltooling_3.2.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmSKIvkRHHdmZXJpQGRl
Ymlhbi5vcmcACgkQOsj3Fkd+2yNSGBAAn9g9JSthyiM6S9HAVicJVnMxuIZH/+oA
0hmB7IKvY2dZBbY2oOBqy7dc0fZYCPtXLTEyTspIqO0P4j7FVsMCWD2j7FTWUnlV
2P/e9huwkIoq9uJdfZFv93dLPjRLfepr8pqzrT9OY1VCswzVZbMi3n3PuB4WFys9
9mV+reZxnSDK0qwIuIHh6LtjN5shDLEUKz2WSaSg4/DvrbiPwt9MCz/54fo/m2ak
/CkEdDLI5p1aaLUrgYqcWMYBgUxnqTULWhqvpuw27K/KCLLj2M5vt4eaGS+Mlw8u
LYc7KoIWNyjmdO13fr4OcDOTLuNOoK8oGAb5ovnVjVF6+fbqu27uZWyK1btkaNkI
4vSXQ9M/BybofeXen04etfmCfgY7Ro4BR05gk2kudg1Tn44AEP3W4VuYeVFvIIdX
EcJd6IoYTFoguG1/0suu7vZVC5gcxQthxAduovIutKyYtGnZjMEhCQPpQQ+EP68K
aXbM7G6IFT6BOT6ZPagMPMraMe2N/kHk3PXaXy0vlbwRtbprRmU8b36z7mKE42om
aS6Y7BWAuZjpVoxoBS+5UwxDigRmr3hN9ewIcd1t9N/gmaEfBLX5YLx7DjjYuXRM
M/pSvbf6IvOCTQxbtFAFugBhEP0PcxNGitrfFvMeXjvf0SOcM8nNNmbdbpMc+dEC
V7emIol4crc=
=hDXL
-----END PGP SIGNATURE-----