[ubuntu/trusty-security] xmltooling 1.5.3-2+deb8u2build0.14.04.1 (Accepted)
Steve Beattie
sbeattie at ubuntu.com
Thu Jan 18 00:40:47 UTC 2018
xmltooling (1.5.3-2+deb8u2build0.14.04.1) trusty-security; urgency=medium
* fake sync from Debian (LP: #1743762)
xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high
* [5c2845b] Add gbp.conf for jessie
* [0ffc343] Convert our single patch into a proper patch queue
* [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
data
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)
processing.
Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.
While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.
CPPXT-127 - Block entity reference nodes during unmarshalling.
https://issues.shibboleth.net/jira/browse/CPPXT-127
Thanks to Scott Cantor
* [49b7352] Update Uploaders: add Etienne, remove Russ, update myself
Date: 2018-01-17 23:08:13.050132+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
https://launchpad.net/ubuntu/+source/xmltooling/1.5.3-2+deb8u2build0.14.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list