Bug#548126: pu: package opensaml2/2.0-2+lenny1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
The Shibboleth suite of software and libraries, which includes xmltooling,
opensmal2, and shibboleth-sp2, has had several vulnerabilities announced
over the past month and a half. Most of those are in xmltooling and are
being handled in conjunction with the Debian Security Team. However, part
of one of the more minor fixes is in opensaml2, and at the recommendation
of the security team, I'm proposing that change through the stable update
process.
Attached is the debdiff against the version currently in stable.
Please note that this fix is in a header file in a function that's
inlined, so after this update is accepted (assuming it's accepted),
shibboleth-sp2 in stable will need to be rebuilt against the new version
of opensaml2. I understand that this can be done via the proposed-updates
mechanism with a binary NMU.
Please let me know if I should go ahead and upload this package.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u opensaml2-2.0/debian/changelog opensaml2-2.0/debian/changelog
--- opensaml2-2.0/debian/changelog
+++ opensaml2-2.0/debian/changelog
@@ -1,3 +1,13 @@
+opensaml2 (2.0-2+lenny1) stable; urgency=high
+
+ * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML
+ metadata to honor restrictions to signing or encryption. This is a
+ partial fix; the complete fix also requires a new version of the
+ xmltooling library.
+ See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>
+
+ -- Russ Allbery <rra@debian.org> Wed, 23 Sep 2009 15:32:12 -0700
+
opensaml2 (2.0-2) unstable; urgency=low
* Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7
only in patch2:
unchanged:
--- opensaml2-2.0.orig/saml/saml2/metadata/MetadataCredentialCriteria.h
+++ opensaml2-2.0/saml/saml2/metadata/MetadataCredentialCriteria.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -64,10 +64,10 @@
const MetadataCredentialContext* context = dynamic_cast<const MetadataCredentialContext*>(credential.getCredentalContext());
if (context) {
// Check for a usage mismatch.
- if ((getUsage() | (xmltooling::Credential::SIGNING_CREDENTIAL & xmltooling::Credential::TLS_CREDENTIAL)) &&
+ if ((getUsage() & (xmltooling::Credential::SIGNING_CREDENTIAL | xmltooling::Credential::TLS_CREDENTIAL)) &&
XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_ENCRYPTION))
return false;
- else if ((getUsage() | xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
+ else if ((getUsage() & xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_SIGNING))
return false;
}
Reply to: