-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Mar 2019 13:40:20 +0100 Source: xmltooling Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc Architecture: source Version: 1.6.0-4+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wferi@debian.org> Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling-doc - C++ XML parsing library with encryption support (API docs) libxmltooling7 - C++ XML parsing library with encryption support (runtime) xmltooling-schemas - XML schemas for XMLTooling Closes: 924346 Changes: xmltooling (1.6.0-4+deb9u2) stretch-security; urgency=high . * [2f0c065] New patch fixing CVE-2019-9628: uncaught exception on malformed XML declaration. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. https://shibboleth.net/community/advisories/secadv_20190311.txt https://issues.shibboleth.net/jira/browse/CPPXT-143 Thanks to Scott Cantor (Closes: #924346) Checksums-Sha1: bf6bf956fc3012b0acee1bac4f013f951e7b9dac 2491 xmltooling_1.6.0-4+deb9u2.dsc e6d3e6d474b1bcb75456d1a042ac0eb18bcc67be 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz a006286edf5829d2664ff81ed2a86c53726f406d 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo Checksums-Sha256: b43977f04b17fa63da1bb6bf49cbb241e1043c4ad38f4983f97caa2038e52ae8 2491 xmltooling_1.6.0-4+deb9u2.dsc 729e06f8429c4793deb28188e5138ac2a74df7025c685ab0b45557a0af93d2cd 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz f1661f18a4d5778fa535e131ce502126934841ad5351b3e5333ea2f33f7d54ea 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo Files: b0b91ca7c4c4d15a0d6d5a4b053e5864 2491 libs extra xmltooling_1.6.0-4+deb9u2.dsc 036129e212c16c33c148d3cf158402c7 73544 libs extra xmltooling_1.6.0-4+deb9u2.debian.tar.xz f1d8254ce793b1b469696c3b02673108 10312 libs extra xmltooling_1.6.0-4+deb9u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlyHtpAACgkQOsj3Fkd+ 2yMl0hAAui9s2tTJw6y+fSEReZt7Q3zZsAMKD0gjWtNl+nJNVXgxnRv4ULZKru8u GkIZyGRenz9aoLpLJVWr/+A8lM3fS97E7+qbEaPgm8j9BQ3WQlDxB3O/8RAo6iyM osujQ/PiFWoxI0W4CDdDaQZF8VeBBMK8Ly1BJodeRllNLMOj9vOkpO6n4eVdP5Rq 0wJwSjGMitR3iWY2LeGKuHPSWyERoaMVdn3aDRzkbkponizTa8/Z0V2P31nLZ/8q Fwml7BHdTfnKckAG0Vv1wq7o3e/A6XmpUvDHGyF4hsCe8x48sUn6x3tOML9+FcNe pnQcv6T8IDrAfOqj8EFL/Sa38IYom9JbC5U7jKtRLiPjuf34lFHmrKb6MC+kiF0L 1YMu3l185+ekdHLQknSNotOK3S8Ds7Tej+1BwQk2SAkpkGDIhPa2Vdp2epF64sFx O3+pJFiAjkB827acyipESgkep4DNhhkZ8S5wjhMIqNDeANYZIRZ4UGDbeKVVUhU5 XfO7zIHR+j10Ms57977IyD7abc5mnJ6VSKS7xX2/z9Grbs9jjLb7d9q0F9WtDRCT ZWW7nPYlg6H67zhirjPY3xgnVNIgkoDt7iGH+koM893nmHfGHfJ5KuKWtYENPauJ 4Szd8pmhXg8HbBupE2TaZq5OTMhwUlhPZx0JmrznWG0HE1OIkH8= =POhM -----END PGP SIGNATURE-----