Publishing details

• Published on 2023-10-07

Changelog

xmltooling (3.2.0-3+deb11u1) bullseye-security; urgency=high

  * [6afa199] New patch: CPPXT-157 - Install blocking URI resolver into
    Santuario.
    Fix a denial of service vulnerability: Parsing of KeyInfo elements can
    cause remote resource access.
    Including certain legal but "malicious in intent" content in the
    KeyInfo element defined by the XML Signature standard will result
    in attempts by the SP's shibd process to dereference untrusted
    URLs.
    While the content of the URL must be supplied within the message
    and does not include any SP internal state or dynamic content,
    there is at minimum a risk of denial of service, and the attack
    could be combined with others to create more serious vulnerabilities
    in the future.
    Thanks to Scott Cantor for the fix. (Closes: #1037948)

 -- Ferenc Wágner <email address hidden>  Wed, 14 Jun 2023 22:44:03 +0200

Builds

Package files

• xmltooling_3.2.0-3+deb11u1.debian.tar.xz (18.2 KiB)
• xmltooling_3.2.0-3+deb11u1.dsc (2.5 KiB)
• xmltooling_3.2.0.orig.tar.bz2 (594.5 KiB)