Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1

To: 948715@bugs.debian.org
Subject: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
From: wferi@niif.hu
Date: Wed, 29 Jan 2020 15:24:56 +0100
Message-id: <[🔎] 875zgu9w7b.fsf@lant.ki.iif.hu>
Reply-to: wferi@niif.hu, 948715@bugs.debian.org
In-reply-to: <[🔎] 478ad2b2dd57acaf0e6ea5d627145979@mail.adam-barratt.org.uk>
References: <[🔎] 157883999376.30506.12999017974103766018.reportbug@lant.ki.iif.hu>

On Tue, 28 Jan 2020 08:42:50 +0000 "Adam D. Barratt" <adam@adam-barratt.org.uk> wrote:
 
> On 2020-01-12 14:39, Ferenc WÃ¡gner wrote:
>
>> +xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
>> +
>> +  * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
>> +    combinations of key content.
>> +    Particular KeyInfo combinations result in incomplete DSA key structures
>> +    that OpenSSL can't handle without crashing.  In the case of Shibboleth
>> +    SP software this manifests as a crash in the shibd daemon.  Exploitation
>> +    is believed to be possible only in deployments employing the PKIX trust
>> +    engine, which is generally recommended against.
>> +    The upstream patches backported from 2.0.2 apply analogous safeguards to
>> +    the RSA and ECDSA key handling as well.
> 
> Please go ahead.

Uploaded.
-- 
Thanks,
Feri

Reply to:

References:
- Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
  - From: Ferenc Wágner <wferi@debian.org>
- Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#950083: RM: koji/1.10.0-1+deb9u1
Next by Date: Bug#950151: transition: pkg-js-tools
Previous by thread: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
Next by thread: Processed: Re: Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
Index(es):
- Date
- Thread