Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1
On Tue, 28 Jan 2020 08:42:50 +0000 "Adam D. Barratt" <adam@adam-barratt.org.uk> wrote:
> On 2020-01-12 14:39, Ferenc Wágner wrote:
>
>> +xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
>> +
>> + * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
>> + combinations of key content.
>> + Particular KeyInfo combinations result in incomplete DSA key structures
>> + that OpenSSL can't handle without crashing. In the case of Shibboleth
>> + SP software this manifests as a crash in the shibd daemon. Exploitation
>> + is believed to be possible only in deployments employing the PKIX trust
>> + engine, which is generally recommended against.
>> + The upstream patches backported from 2.0.2 apply analogous safeguards to
>> + the RSA and ECDSA key handling as well.
>
> Please go ahead.
Uploaded.
--
Thanks,
Feri
Reply to: