Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1

To: Ferenc Wágner <wferi@debian.org>, 948715@bugs.debian.org
Subject: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 28 Jan 2020 08:42:50 +0000
Message-id: <[🔎] 478ad2b2dd57acaf0e6ea5d627145979@mail.adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 948715@bugs.debian.org
In-reply-to: <[🔎] 157883999376.30506.12999017974103766018.reportbug@lant.ki.iif.hu>
References: <[🔎] 157883999376.30506.12999017974103766018.reportbug@lant.ki.iif.hu> <[🔎] 157883999376.30506.12999017974103766018.reportbug@lant.ki.iif.hu>

Control: tags -1 + confirmed

On 2020-01-12 14:39, Ferenc Wágner wrote:

+xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
+
+  * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
+    combinations of key content.
+ Particular KeyInfo combinations result in incomplete DSA keystructures+ that OpenSSL can't handle without crashing. In the case ofShibboleth+ SP software this manifests as a crash in the shibd daemon.Exploitation+ is believed to be possible only in deployments employing the PKIXtrust
+    engine, which is generally recommended against.
+ The upstream patches backported from 2.0.2 apply analogoussafeguards to
+    the RSA and ECDSA key handling as well.


Please go ahead.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
  - From: wferi@niif.hu

References:
- Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
  - From: Ferenc Wágner <wferi@debian.org>

Prev by Date: Processed: Re: Bug#948653: stretch-pu: package mod-gnutls/0.8.2-3+deb9u1
Next by Date: Processed: Re: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
Previous by thread: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
Next by thread: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
Index(es):
- Date
- Thread