Accepted xmltooling 1.6.0-4+deb9u2 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Mar 2019 13:40:20 +0100
Source: xmltooling
Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source
Version: 1.6.0-4+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libxmltooling-dev - C++ XML parsing library with encryption support (development)
libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
libxmltooling7 - C++ XML parsing library with encryption support (runtime)
xmltooling-schemas - XML schemas for XMLTooling
Closes: 924346
Changes:
xmltooling (1.6.0-4+deb9u2) stretch-security; urgency=high
.
* [2f0c065] New patch fixing CVE-2019-9628: uncaught exception on malformed
XML declaration.
Invalid data in the XML declaration causes an exception of a type
that was not handled properly in the parser class and propagates an
unexpected exception type.
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.
https://shibboleth.net/community/advisories/secadv_20190311.txt
https://issues.shibboleth.net/jira/browse/CPPXT-143
Thanks to Scott Cantor (Closes: #924346)
Checksums-Sha1:
bf6bf956fc3012b0acee1bac4f013f951e7b9dac 2491 xmltooling_1.6.0-4+deb9u2.dsc
e6d3e6d474b1bcb75456d1a042ac0eb18bcc67be 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz
a006286edf5829d2664ff81ed2a86c53726f406d 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo
Checksums-Sha256:
b43977f04b17fa63da1bb6bf49cbb241e1043c4ad38f4983f97caa2038e52ae8 2491 xmltooling_1.6.0-4+deb9u2.dsc
729e06f8429c4793deb28188e5138ac2a74df7025c685ab0b45557a0af93d2cd 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz
f1661f18a4d5778fa535e131ce502126934841ad5351b3e5333ea2f33f7d54ea 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo
Files:
b0b91ca7c4c4d15a0d6d5a4b053e5864 2491 libs extra xmltooling_1.6.0-4+deb9u2.dsc
036129e212c16c33c148d3cf158402c7 73544 libs extra xmltooling_1.6.0-4+deb9u2.debian.tar.xz
f1d8254ce793b1b469696c3b02673108 10312 libs extra xmltooling_1.6.0-4+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlyHtpAACgkQOsj3Fkd+
2yMl0hAAui9s2tTJw6y+fSEReZt7Q3zZsAMKD0gjWtNl+nJNVXgxnRv4ULZKru8u
GkIZyGRenz9aoLpLJVWr/+A8lM3fS97E7+qbEaPgm8j9BQ3WQlDxB3O/8RAo6iyM
osujQ/PiFWoxI0W4CDdDaQZF8VeBBMK8Ly1BJodeRllNLMOj9vOkpO6n4eVdP5Rq
0wJwSjGMitR3iWY2LeGKuHPSWyERoaMVdn3aDRzkbkponizTa8/Z0V2P31nLZ/8q
Fwml7BHdTfnKckAG0Vv1wq7o3e/A6XmpUvDHGyF4hsCe8x48sUn6x3tOML9+FcNe
pnQcv6T8IDrAfOqj8EFL/Sa38IYom9JbC5U7jKtRLiPjuf34lFHmrKb6MC+kiF0L
1YMu3l185+ekdHLQknSNotOK3S8Ds7Tej+1BwQk2SAkpkGDIhPa2Vdp2epF64sFx
O3+pJFiAjkB827acyipESgkep4DNhhkZ8S5wjhMIqNDeANYZIRZ4UGDbeKVVUhU5
XfO7zIHR+j10Ms57977IyD7abc5mnJ6VSKS7xX2/z9Grbs9jjLb7d9q0F9WtDRCT
ZWW7nPYlg6H67zhirjPY3xgnVNIgkoDt7iGH+koM893nmHfGHfJ5KuKWtYENPauJ
4Szd8pmhXg8HbBupE2TaZq5OTMhwUlhPZx0JmrznWG0HE1OIkH8=
=POhM
-----END PGP SIGNATURE-----
Reply to: