[ubuntu/disco-proposed] xmltooling 3.0.4-1 (Accepted)

Sebastien Bacher seb128 at ubuntu.com
Mon Mar 18 20:20:07 UTC 2019


xmltooling (3.0.4-1) unstable; urgency=high

  * [f185b26] New upstream security release: 3.0.4
    DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
    declaration.
    Invalid data in the XML declaration causes an exception of a type
    that was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    https://shibboleth.net/community/advisories/secadv_20190311.txt
    https://issues.shibboleth.net/jira/browse/CPPXT-143
    Thanks to Scott Cantor (Closes: #924346)

Date: 2019-03-14 22:42:32.584674+00:00
Signed-By: Sebastien Bacher <seb128 at ubuntu.com>
https://launchpad.net/ubuntu/+source/xmltooling/3.0.4-1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Disco-changes mailing list