Bug#548126: marked as done (pu: package opensaml2/2.0-2+lenny1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 07 Oct 2009 19:08:11 +0300
with message-id <[🔎] 4ACCBCEB.7080501@debian.org>
and subject line Re: Bug#548126: pu: package opensaml2/2.0-2+lenny1
has caused the Debian Bug report #548126,
regarding pu: package opensaml2/2.0-2+lenny1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
548126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548126
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: pu: package opensaml2/2.0-2+lenny1
• From: Russ Allbery <rra@debian.org>
• Date: Wed, 23 Sep 2009 15:51:35 -0700
• Message-id: <20090923225135.28234.81650.reportbug@windlord.stanford.edu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

The Shibboleth suite of software and libraries, which includes xmltooling,
opensmal2, and shibboleth-sp2, has had several vulnerabilities announced
over the past month and a half.  Most of those are in xmltooling and are
being handled in conjunction with the Debian Security Team.  However, part
of one of the more minor fixes is in opensaml2, and at the recommendation
of the security team, I'm proposing that change through the stable update
process.

Attached is the debdiff against the version currently in stable.

Please note that this fix is in a header file in a function that's
inlined, so after this update is accepted (assuming it's accepted),
shibboleth-sp2 in stable will need to be rebuilt against the new version
of opensaml2.  I understand that this can be done via the proposed-updates
mechanism with a binary NMU.

Please let me know if I should go ahead and upload this package.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u opensaml2-2.0/debian/changelog opensaml2-2.0/debian/changelog
--- opensaml2-2.0/debian/changelog
+++ opensaml2-2.0/debian/changelog
@@ -1,3 +1,13 @@
+opensaml2 (2.0-2+lenny1) stable; urgency=high
+
+  * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML
+    metadata to honor restrictions to signing or encryption.  This is a
+    partial fix; the complete fix also requires a new version of the
+    xmltooling library.
+    See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>
+
+ -- Russ Allbery <rra@debian.org>  Wed, 23 Sep 2009 15:32:12 -0700
+
 opensaml2 (2.0-2) unstable; urgency=low
 
   * Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7
only in patch2:
unchanged:
--- opensaml2-2.0.orig/saml/saml2/metadata/MetadataCredentialCriteria.h
+++ opensaml2-2.0/saml/saml2/metadata/MetadataCredentialCriteria.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,10 +64,10 @@
                 const MetadataCredentialContext* context = dynamic_cast<const MetadataCredentialContext*>(credential.getCredentalContext());
                 if (context) {
                     // Check for a usage mismatch.
-                    if ((getUsage() | (xmltooling::Credential::SIGNING_CREDENTIAL & xmltooling::Credential::TLS_CREDENTIAL)) &&
+                    if ((getUsage() & (xmltooling::Credential::SIGNING_CREDENTIAL | xmltooling::Credential::TLS_CREDENTIAL)) &&
                             XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_ENCRYPTION))
                         return false;
-                    else if ((getUsage() | xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
+                    else if ((getUsage() & xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
                             XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_SIGNING))
                         return false;
                 }

--- End Message ---

--- Begin Message ---

• To: Florian Weimer <fw@deneb.enyo.de>
• Cc: debian-release@lists.debian.org, team@security.debian.org, Russ Allbery <rra@debian.org>, 548126-done@bugs.debian.org, 549936@bugs.debian.org
• Subject: Re: Bug#548126: pu: package opensaml2/2.0-2+lenny1
• From: Faidon Liambotis <paravoid@debian.org>
• Date: Wed, 07 Oct 2009 19:08:11 +0300
• Message-id: <[🔎] 4ACCBCEB.7080501@debian.org>
• In-reply-to: <[🔎] 87iqerg4ml.fsf@mid.deneb.enyo.de>
• References: <20090923225135.28234.81650.reportbug__44817.7934079014$1253748833$gmane$org@windlord.stanford.edu> <[🔎] 4ACBC25D.5060009@debian.org> <[🔎] 87iqerg4ml.fsf@mid.deneb.enyo.de>

Florian Weimer wrote:
> Right.  Please upload opensaml2 first (after sending in a source
> debdiff for review), and then wait with uploading shibboleth-sp2 until
> we tell you it's okay to do so.
OK, will do. How should we handle the fact that the newer xmltooling is
breaking the "old" (as in, lenny) opensaml2/shibboleth-sp2?

I don't think it can be solved with regular dpkg constructs (xmltooling
is already present in security), would just mentioning it in the DSA be
alright?

> AFAICT, opensaml2 hasn't been uploaded to stable-proposed-updates yet,
> so no action appears to be required from the release team.
Yes, that's my impression as well, hence I'm closing #548126 (pu) with
this mail.

Thanks,
Faidon

--- End Message ---