-
xmltooling (3.0.2-1ubuntu1.1) cosmic-security; urgency=high
* SECURITY UPDATE: uncaught exception on malformed XML declaration
Invalid data in the XML declaration causes an exception of a type that
was not handled properly in the parser class and propagates an
unexpected exception type.
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.
- debian/patches/CVE-2019-9628.patch
- CVE-2019-9628
- https://shibboleth.net/community/advisories/secadv_20190311.txt
- LP: #1819912
-- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100
-
xmltooling (3.0.2-1ubuntu1) cosmic; urgency=medium
* debian/patches/openssl-1.1.1-compat.patch: Fix build failure with
openssl 1.1.1.
-- Steve Langasek <email address hidden> Fri, 28 Sep 2018 23:13:07 +0000
-
xmltooling (1.6.4-1ubuntu2) bionic; urgency=medium
* Switch back to openssl1.0 via newly-added libcurl-openssl1.0-dev, since
libxml-security is not ported to openssl1.1.
-- Steve Langasek <email address hidden> Tue, 06 Mar 2018 10:04:50 +0100
