Accepted xmltooling 3.2.3-1+deb12u1 (source) into proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted xmltooling 3.2.3-1+deb12u1 (source) into proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 24 Jun 2023 14:33:04 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: xmltooling_3.2.3-1+deb12u1_source.changes
- Debian-source: xmltooling
- Debian-suite: proposed-updates
- Debian-version: 3.2.3-1+deb12u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=rJYWo4oHlv8uKGN+yZAPwZAlKoNSXhX04uZDI7QQfXQ=; b=hqFUxq2h4Oxqbls2S6j2r2tMbb YkRJp+LhN8J/IWGYLVz87x3rlJDNI8HUCnlJTd1VXPf31VI9CcgZ+ZcpVgd/AT8qLJqAFdHazQmH8 Csuopo3IK2OqCwx3xYXcUyNpmG5Y6XjyjuSHKzqp59UwF6j/daCOBmtsglF8tUN3btqBHL3WKau7b E8XWuMgJx4rD0/miBJJfOINDJKSYUcU9AAAA45W0z+ElCoB/wCM+HW/KX8bavj9tYGftxlpXACZqQ GedPh8xnE1YPRwNe8JkcVFADIbV5vB/JGgf5Cf+JooFM8oenuZmn4MkYYgmYXMXDluaNdjNsOK5EY BsD89ZUg==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1qD4K0-005zXC-Nd@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 14 Jun 2023 18:52:03 +0200
Source: xmltooling
Architecture: source
Version: 3.2.3-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 1037948
Changes:
xmltooling (3.2.3-1+deb12u1) bookworm-security; urgency=high
.
* [9e43891] New patch: CPPXT-157 - Install blocking URI resolver into
Santuario.
Fix a denial of service vulnerability: Parsing of KeyInfo elements can
cause remote resource access.
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.
Thanks to Scott Cantor for the fix. (Closes: #1037948)
Checksums-Sha1:
3591432fe34bf18216c181fa802ef15a61892d9e 2822 xmltooling_3.2.3-1+deb12u1.dsc
cf8f73d5592e71c4ebabb8c6f93a4d8db3e42081 620767 xmltooling_3.2.3.orig.tar.bz2
9327a0d4f15477d8661813b1f69e184ed023c2ec 833 xmltooling_3.2.3.orig.tar.bz2.asc
fe92a349ede365171316d085d10234ad3617fa1b 19052 xmltooling_3.2.3-1+deb12u1.debian.tar.xz
8ba5f046c2fd81bb302a73843e86348d3fccd181 7156 xmltooling_3.2.3-1+deb12u1_source.buildinfo
Checksums-Sha256:
c72c9fdac41ed7058c6da1375d731daae31b503c8f0b5fee49d3a526d8274f91 2822 xmltooling_3.2.3-1+deb12u1.dsc
95b8296ffb1facd86eaa9f24d4a895a7c55a3cd838450b4d20bc1651fdf45132 620767 xmltooling_3.2.3.orig.tar.bz2
4f2107f7c3810bb37660bc9ce4ad79a4b9b1892247020ae4c201fe8cfe33b903 833 xmltooling_3.2.3.orig.tar.bz2.asc
72abed1f896dd3998b9a7efd18b0cccd6c9d6b9876281bb8e8dd95ca329cd38c 19052 xmltooling_3.2.3-1+deb12u1.debian.tar.xz
57d9d867bb72d8844a223dab78d5b4ac2fbf40f180a240a51ce69bb5c7a7700c 7156 xmltooling_3.2.3-1+deb12u1_source.buildinfo
Files:
9fb7a16382b796df025a6e4cbc5435ea 2822 libs optional xmltooling_3.2.3-1+deb12u1.dsc
f5920350ee964a4c38c566394894f09b 620767 libs optional xmltooling_3.2.3.orig.tar.bz2
b5a5cb6e1670d73cb8219d8f60d66ff0 833 libs optional xmltooling_3.2.3.orig.tar.bz2.asc
0fa0a36e297474767b3d51f130a7bd8d 19052 libs optional xmltooling_3.2.3-1+deb12u1.debian.tar.xz
b3e9d77d97276466a01b39cea4f391e7 7156 libs optional xmltooling_3.2.3-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmSOKG4RHHdmZXJpQGRl
Ymlhbi5vcmcACgkQOsj3Fkd+2yMCyxAAlPx9SE4eRmvbKinGexuAMn8I5cXLnaVf
WCob0wPAXfQggssdHvELDwFxV3JljqzeLMWjHWUrCEs/wQi35ZL4kELTVdftBeZE
7mw4mXETTmImrP5ZGFX7l28EZuhNezNs7MvI581udk5xKTJICUyFy01+FvK2q7vA
9onsxNLDNpeg7ux3/GCbmbB/EWo3uRXK9gcXv4jipEokeHp0oYrksrX6VC+xMZ+z
v0fOJ8MP7h/TMEX3rarfBE3Tq+glbPLwZYE1L8SDNI23v4k+oLJqZ881uX2w9f7e
0c1VwqjidX9m5gjk1CbEbQrs/ZRKw4P5kBG70FOputIC3CSitAN/YTsBHugVFAfR
y7ex7vZi+na/Fm7tZVrKVUVVK/8NIuSjJLfFTyVbjTg6Hq/ikJz+Yd0wxr5d/zEi
ulFSqTHjdD4n4jzvfcEZkslshJu0RrUNtj6NEXHRh/k6Yv78ZsmuFSKpBZkpUusR
70vrcFOaKGdzcwkSTwLrtRelY2p5jf5X91m2I//vpvgmmg3KyQpJENEObk0YMzlt
K8vPI+l1YKA6S+nEELl8J39jDsvBwS6mx8awNQpaZGubwRcKZzWNXUk0Z1hZNyDF
j1QGPj/I9Aag8pNGG6S6u2QdG0FHagFqupmvktHlCsxLJFqcSjQ4WH+Epnq6XZVY
3YFZKu2qrBw=
=5aNx
-----END PGP SIGNATURE-----