Re: Bug#905332: debdiff

[wferi@niif.hu (Ferenc Wágner)]

wagner.ferenc@kifu.gov.hu (Ferenc Wágner) writes:

> Christian Fischer <christian.fischer@greenbone.net> writes:
>
>> On Fri, 03 Aug 2018 14:42:16 +0200 wferi@niif.hu (Ferenc Wágner) wrote:
>>
>>> Unfortunately the CVE hasn't arrived yet; I'll
>>> forward it to you once it does.  My acknowledgement mail is of
>>> subject "CVE Request 548000 for CVE ID Request" from
>>> CVE-Request@mitre.org (just for the record).
>>
>> have you received a CVE for this issue yet? Tried to look around in
>> various sources but wasn't able to identify a published CVE for this
>> issue yet.
>
> I haven't received a CVE for this issue, unfortunately.  My original
> request was deflected by Mitre saying that the Apache Software
> Foundation should issue this CVE.  However, the Apache webpage states
> that they issue IDs for undisclosed vulnerabilities only.  My three
> followup mails asking for clarification remained unanswered by Mitre.
>
> To add more bad news, according to http://santuario.apache.org/ the just
> released 2.0.2 fixes a very similar bug, which might mean another DoS; I
> couldn't investigate yet.  But if it does, we'll need yet another CVE
> for that.  I'm sending out some queries.

Shibboleth upstream confirmed that it's basically more of the same
issue: https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2018-November/005382.html
"I would suggest you just attach this to the same CVE as before and
update it to reflect the versions involved."

Dear Security Team, please consider yourselves notified and please
advise how we should track/handle this.  I'm looking into backporting
the fix to the stable version 1.7.3-4+deb9u1.
-- 
Regards,
Feri