--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please consider speeding up migration of package shibboleth-sp
Dear Release Team,
The version currently waiting for testing migration fixes the security
bug #985405. The package isn't blocked because of successful
autopkgtests, but you may want to speed up its migration to fix the bug
in bullseye and to allow us fix it in buster-backports sooner.
See the debdiff below; the 3.2.1 release contains nothing but 3 bug
fixes (the third is the security bug mentioned above):
- native.logger includes a lot of categories specific to shibd
- External overrides break when custom handlers are used
- Error templates allow query-based override of variables
diff -Nru shibboleth-sp-3.2.0+dfsg1/configs/native.logger shibboleth-sp-3.2.1+dfsg1/configs/native.logger
--- shibboleth-sp-3.2.0+dfsg1/configs/native.logger 2019-11-21 15:04:04.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/configs/native.logger 2021-03-16 16:04:10.000000000 +0100
@@ -8,23 +8,14 @@
log4j.category.Shibboleth.IPRange=WARN
log4j.category.Shibboleth.PropertySet=WARN
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=WARN
-
# useful categories to tune independently:
#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
# interprocess message remoting
#log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
#log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
# define the appender
diff -Nru shibboleth-sp-3.2.0+dfsg1/configs/win-native.logger shibboleth-sp-3.2.1+dfsg1/configs/win-native.logger
--- shibboleth-sp-3.2.0+dfsg1/configs/win-native.logger 2019-11-21 15:04:04.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/configs/win-native.logger 2021-03-16 16:04:36.000000000 +0100
@@ -8,23 +8,14 @@
log4j.category.Shibboleth.IPRange=WARN
log4j.category.Shibboleth.PropertySet=WARN
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=WARN
-
# useful categories to tune independently:
#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
# interprocess message remoting
#log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
#log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
# define the appender
diff -Nru shibboleth-sp-3.2.0+dfsg1/configure shibboleth-sp-3.2.1+dfsg1/configure
--- shibboleth-sp-3.2.0+dfsg1/configure 2020-12-08 16:33:35.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/configure 2021-03-16 15:44:42.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for shibboleth 3.2.0.
+# Generated by GNU Autoconf 2.69 for shibboleth 3.2.1.
#
# Report bugs to <https://issues.shibboleth.net/>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='shibboleth'
PACKAGE_TARNAME='shibboleth-sp'
-PACKAGE_VERSION='3.2.0'
-PACKAGE_STRING='shibboleth 3.2.0'
+PACKAGE_VERSION='3.2.1'
+PACKAGE_STRING='shibboleth 3.2.1'
PACKAGE_BUGREPORT='https://issues.shibboleth.net/'
PACKAGE_URL=''
@@ -1530,7 +1530,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures shibboleth 3.2.0 to adapt to many kinds of systems.
+\`configure' configures shibboleth 3.2.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1600,7 +1600,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of shibboleth 3.2.0:";;
+ short | recursive ) echo "Configuration of shibboleth 3.2.1:";;
esac
cat <<\_ACEOF
@@ -1802,7 +1802,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-shibboleth configure 3.2.0
+shibboleth configure 3.2.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2680,7 +2680,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by shibboleth $as_me 3.2.0, which was
+It was created by shibboleth $as_me 3.2.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3540,7 +3540,7 @@
# Define the identity of the package.
PACKAGE='shibboleth-sp'
- VERSION='3.2.0'
+ VERSION='3.2.1'
cat >>confdefs.h <<_ACEOF
@@ -24274,7 +24274,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by shibboleth $as_me 3.2.0, which was
+This file was extended by shibboleth $as_me 3.2.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -24340,7 +24340,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-shibboleth config.status 3.2.0
+shibboleth config.status 3.2.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru shibboleth-sp-3.2.0+dfsg1/configure.ac shibboleth-sp-3.2.1+dfsg1/configure.ac
--- shibboleth-sp-3.2.0+dfsg1/configure.ac 2020-12-08 16:33:28.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/configure.ac 2021-03-16 14:33:31.000000000 +0100
@@ -1,5 +1,5 @@
AC_PREREQ([2.50])
-AC_INIT([shibboleth],[3.2.0],[https://issues.shibboleth.net/],[shibboleth-sp])
+AC_INIT([shibboleth],[3.2.1],[https://issues.shibboleth.net/],[shibboleth-sp])
AC_CONFIG_SRCDIR(shibsp)
AC_CONFIG_AUX_DIR(build-aux)
AC_CONFIG_MACRO_DIR(m4)
diff -Nru shibboleth-sp-3.2.0+dfsg1/config_win32.h shibboleth-sp-3.2.1+dfsg1/config_win32.h
--- shibboleth-sp-3.2.0+dfsg1/config_win32.h 2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/config_win32.h 2021-03-16 14:33:45.000000000 +0100
@@ -121,13 +121,13 @@
#define PACKAGE_NAME "shibboleth"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "shibboleth 3.2.0"
+#define PACKAGE_STRING "shibboleth 3.2.1"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "shibboleth-sp"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "3.2.0"
+#define PACKAGE_VERSION "3.2.1"
/* Define to the necessary symbol if this constant uses a non-standard name on
your system. */
@@ -140,7 +140,7 @@
/* #undef TM_IN_SYS_TIME */
/* Version number of package */
-#define VERSION "3.2.0"
+#define VERSION "3.2.1"
/* Define to empty if `const' does not conform to ANSI C. */
/* #undef const */
diff -Nru shibboleth-sp-3.2.0+dfsg1/debian/changelog shibboleth-sp-3.2.1+dfsg1/debian/changelog
--- shibboleth-sp-3.2.0+dfsg1/debian/changelog 2021-01-06 14:18:54.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/debian/changelog 2021-03-17 14:29:08.000000000 +0100
@@ -1,3 +1,12 @@
+shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high
+
+ * [4ecfe4a] New upstream release: 3.2.1
+ High urgency because it contains the fix for the phishing vulnerability
+ https://shibboleth.net/community/advisories/secadv_20210317.txt.
+ * [80b3470] Refresh our patches
+
+ -- Ferenc Wágner <wferi@debian.org> Wed, 17 Mar 2021 14:29:08 +0100
+
shibboleth-sp (3.2.0+dfsg1-2) unstable; urgency=medium
* [84158eb] Revert "New patch: Require XMLTooling and OpenSAML 3.2 via pkg
diff -Nru shibboleth-sp-3.2.0+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch
--- shibboleth-sp-3.2.0+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 2020-12-27 21:57:54.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 2021-03-17 14:26:00.000000000 +0100
@@ -9,7 +9,7 @@
1 file changed, 5 deletions(-)
diff --git a/configure.ac b/configure.ac
-index 385d11d..c278574 100644
+index ddae588..ceb34a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test "x$ac_cv_have_decl_gss_get_name_attribu
diff -Nru shibboleth-sp-3.2.0+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd shibboleth-sp-3.2.1+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd
--- shibboleth-sp-3.2.0+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd 2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd 2021-03-16 15:21:18.000000000 +0100
@@ -9,7 +9,7 @@
elementFormDefault="qualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
- version="3.1">
+ version="3.2">
<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/>
@@ -754,6 +754,7 @@
<attribute name="localLogout" type="conf:anyURI"/>
<attribute name="globalLogout" type="conf:anyURI"/>
<attribute name="partialLogout" type="conf:anyURI"/>
+ <attribute name="externalParameters" type="boolean" />
<anyAttribute namespace="##any" processContents="lax"/>
</complexType>
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibboleth.spec shibboleth-sp-3.2.1+dfsg1/shibboleth.spec
--- shibboleth-sp-3.2.0+dfsg1/shibboleth.spec 2020-12-08 16:34:19.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibboleth.spec 2021-03-16 15:46:04.000000000 +0100
@@ -1,5 +1,5 @@
Name: shibboleth
-Version: 3.2.0
+Version: 3.2.1
Release: 1
Summary: Open source system for attribute-based Web SSO
Group: Productivity/Networking/Security
@@ -29,8 +29,8 @@
%endif
BuildRequires: libxerces-c-devel >= 3.2
BuildRequires: libxml-security-c-devel >= 2.0.0
-BuildRequires: libxmltooling-devel >= 3.1.0
-BuildRequires: libsaml-devel >= 3.1.0
+BuildRequires: libxmltooling-devel >= 3.2.0
+BuildRequires: libsaml-devel >= 3.2.0
%{?_with_log4cpp:BuildRequires: liblog4cpp-devel >= 1.0}
%{!?_with_log4cpp:BuildRequires: liblog4shib-devel >= 2}
%if 0%{?rhel} == 6 || 0%{?rhel} == 7 || 0%{?amzn} >= 1
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibboleth.spec.in shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in
--- shibboleth-sp-3.2.0+dfsg1/shibboleth.spec.in 2020-12-08 00:31:56.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in 2020-12-15 04:00:19.000000000 +0100
@@ -29,8 +29,8 @@
%endif
BuildRequires: libxerces-c-devel >= 3.2
BuildRequires: libxml-security-c-devel >= 2.0.0
-BuildRequires: libxmltooling-devel >= 3.1.0
-BuildRequires: libsaml-devel >= 3.1.0
+BuildRequires: libxmltooling-devel >= 3.2.0
+BuildRequires: libsaml-devel >= 3.2.0
%{?_with_log4cpp:BuildRequires: liblog4cpp-devel >= 1.0}
%{!?_with_log4cpp:BuildRequires: liblog4shib-devel >= 2}
%if 0%{?rhel} == 6 || 0%{?rhel} == 7 || 0%{?amzn} >= 1
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/handler/impl/AttributeCheckerHandler.cpp shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/AttributeCheckerHandler.cpp
--- shibboleth-sp-3.2.0+dfsg1/shibsp/handler/impl/AttributeCheckerHandler.cpp 2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/AttributeCheckerHandler.cpp 2021-03-16 15:50:23.000000000 +0100
@@ -188,8 +188,16 @@
ifstream infile(m_template.c_str());
if (infile) {
- TemplateParameters tp(nullptr, request.getApplication().getPropertySet("Errors"), session);
- tp.m_request = &request;
+ const PropertySet* props = request.getApplication().getPropertySet("Errors");
+ TemplateParameters tp(nullptr, props, session);
+
+ // If the externalParameters option isn't set, don't populate the request field.
+ pair<bool,bool> externalParameters =
+ props ? props->getBool("externalParameters") : pair<bool,bool>(false,false);
+ if (externalParameters.first && externalParameters.second) {
+ tp.m_request = &request;
+ }
+
stringstream str;
XMLToolingConfig::getConfig().getTemplateEngine()->run(infile, str, tp);
if (m_flushSession && session) {
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/handler/impl/FormSessionInitiator.cpp shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/FormSessionInitiator.cpp
--- shibboleth-sp-3.2.0+dfsg1/shibsp/handler/impl/FormSessionInitiator.cpp 2018-07-10 03:17:23.000000000 +0200
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/FormSessionInitiator.cpp 2021-03-16 15:50:38.000000000 +0100
@@ -123,8 +123,18 @@
ifstream infile(XMLToolingConfig::getConfig().getPathResolver()->resolve(fname, PathResolver::XMLTOOLING_CFG_FILE).c_str());
if (!infile)
throw ConfigurationException("Unable to access HTML template ($1).", params(1, m_template));
+
+ const PropertySet* props = app.getPropertySet("Errors");
+
TemplateParameters tp;
- tp.m_request = &request;
+
+ // If the externalParameters option isn't set, don't populate the request field.
+ pair<bool,bool> externalParameters =
+ props ? props->getBool("externalParameters") : pair<bool,bool>(false,false);
+ if (externalParameters.first && externalParameters.second) {
+ tp.m_request = &request;
+ }
+
tp.setPropertySet(app.getPropertySet("Errors"));
tp.m_map["action"] = returnURL;
if (!target.empty())
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/handler/impl/LogoutHandler.cpp shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/LogoutHandler.cpp
--- shibboleth-sp-3.2.0+dfsg1/shibsp/handler/impl/LogoutHandler.cpp 2018-07-10 03:17:23.000000000 +0200
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/LogoutHandler.cpp 2021-03-16 15:50:52.000000000 +0100
@@ -63,6 +63,7 @@
{
string tname = string(type) + "Logout";
const PropertySet* props = application.getPropertySet("Errors");
+
pair<bool,const char*> prop = props ? props->getString(tname.c_str()) : pair<bool,const char*>(false,nullptr);
if (!prop.first) {
tname += ".html";
@@ -76,7 +77,14 @@
if (!infile)
throw ConfigurationException("Unable to access $1 HTML template.", params(1,prop.second));
TemplateParameters tp;
- tp.m_request = &request;
+
+ // If the externalParameters option isn't set, don't populate the request field.
+ pair<bool,bool> externalParameters =
+ props ? props->getBool("externalParameters") : pair<bool,bool>(false,false);
+ if (externalParameters.first && externalParameters.second) {
+ tp.m_request = &request;
+ }
+
tp.setPropertySet(props);
tp.m_map["logoutStatus"] = "Logout completed successfully."; // Backward compatibility.
stringstream str;
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/impl/XMLServiceProvider.cpp shibboleth-sp-3.2.1+dfsg1/shibsp/impl/XMLServiceProvider.cpp
--- shibboleth-sp-3.2.0+dfsg1/shibsp/impl/XMLServiceProvider.cpp 2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/impl/XMLServiceProvider.cpp 2021-03-16 20:51:24.000000000 +0100
@@ -883,15 +883,31 @@
if (i != m_listenerMap.end())
return i->second.first ? i->second.first : i->second.second;
+ locker.release()->unlock(); // free up the listener map
+
+ // Start iterating at slash boundaries.
+ const char* slash = strstr(address, "/");
+ while (slash) {
+ string appId(address, slash - address);
+ if (getApplication(appId.c_str())) {
+ SharedLock sublocker(m_listenerLock, true); // relock and check again
+ i = m_listenerMap.find(address);
+ if (i != m_listenerMap.end())
+ return i->second.first ? i->second.first : i->second.second;
+ }
+ slash = strstr(slash + 1, "/");
+ }
+
+ // Try a search based on the colons, which handles no embedded slashes in the address.
const char* colons = strstr(address, "::");
if (colons) {
string appId(address, colons - address);
- locker.release()->unlock(); // free up the listener map
- getApplication(appId.c_str());
- SharedLock sublocker(m_listenerLock, true); // relock and check again
- i = m_listenerMap.find(address);
- if (i != m_listenerMap.end())
- return i->second.first ? i->second.first : i->second.second;
+ if (getApplication(appId.c_str())) {
+ SharedLock sublocker(m_listenerLock, true); // relock and check again
+ i = m_listenerMap.find(address);
+ if (i != m_listenerMap.end())
+ return i->second.first ? i->second.first : i->second.second;
+ }
}
return nullptr;
}
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/ServiceProvider.cpp shibboleth-sp-3.2.1+dfsg1/shibsp/ServiceProvider.cpp
--- shibboleth-sp-3.2.0+dfsg1/shibsp/ServiceProvider.cpp 2019-11-21 15:04:04.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/ServiceProvider.cpp 2021-03-16 15:50:03.000000000 +0100
@@ -71,9 +71,16 @@
if (!app)
app = request.getServiceProvider().getApplication(nullptr);
- const PropertySet* props=app->getPropertySet("Errors");
+ const PropertySet* props = app->getPropertySet("Errors");
- // First look for settings in the request map of the form pageError.
+ // If the externalParameters option isn't set, clear out the request field.
+ pair<bool,bool> externalParameters =
+ props ? props->getBool("externalParameters") : pair<bool,bool>(false,false);
+ if (!externalParameters.first || !externalParameters.second) {
+ tp.m_request = nullptr;
+ }
+
+ // Now look for settings in the request map of the form pageError.
try {
RequestMapper::Settings settings = request.getRequestSettings();
if (mderror)
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/shibsp.rc shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc
--- shibboleth-sp-3.2.0+dfsg1/shibsp/shibsp.rc 2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc 2021-03-16 15:43:09.000000000 +0100
@@ -64,7 +64,7 @@
VALUE "InternalName", "shibsp3_2\0"
#endif
#endif
- VALUE "LegalCopyright", "Copyright 2020 UCAID\0"
+ VALUE "LegalCopyright", "Copyright 2021 Various\0"
VALUE "LegalTrademarks", "\0"
#ifdef SHIBSP_LITE
#ifdef _DEBUG
@@ -80,8 +80,8 @@
#endif
#endif
VALUE "PrivateBuild", "\0"
- VALUE "ProductName", "Shibboleth 3.2.0\0"
- VALUE "ProductVersion", "3, 2, 0, 0\0"
+ VALUE "ProductName", "Shibboleth 3.2.1\0"
+ VALUE "ProductVersion", "3, 2, 1, 0\0"
VALUE "SpecialBuild", "\0"
END
END
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibsp/version.h shibboleth-sp-3.2.1+dfsg1/shibsp/version.h
--- shibboleth-sp-3.2.0+dfsg1/shibsp/version.h 2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.1+dfsg1/shibsp/version.h 2021-03-16 14:32:51.000000000 +0100
@@ -44,7 +44,7 @@
#define SHIBSP_VERSION_MAJOR 3
#define SHIBSP_VERSION_MINOR 2
-#define SHIBSP_VERSION_REVISION 0
+#define SHIBSP_VERSION_REVISION 1
/** DO NOT MODIFY BELOW THIS LINE */
unblock shibboleth-sp/3.2.1+dfsg1-1
--
Thanks,
Feri.
--- End Message ---