-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 14 Jun 2023 18:52:03 +0200 Source: xmltooling Architecture: source Version: 3.2.3-1+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net> Changed-By: Ferenc Wágner <wferi@debian.org> Closes: 1037948 Changes: xmltooling (3.2.3-1+deb12u1) bookworm-security; urgency=high . * [9e43891] New patch: CPPXT-157 - Install blocking URI resolver into Santuario. Fix a denial of service vulnerability: Parsing of KeyInfo elements can cause remote resource access. Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. Thanks to Scott Cantor for the fix. (Closes: #1037948) Checksums-Sha1: 3591432fe34bf18216c181fa802ef15a61892d9e 2822 xmltooling_3.2.3-1+deb12u1.dsc cf8f73d5592e71c4ebabb8c6f93a4d8db3e42081 620767 xmltooling_3.2.3.orig.tar.bz2 9327a0d4f15477d8661813b1f69e184ed023c2ec 833 xmltooling_3.2.3.orig.tar.bz2.asc fe92a349ede365171316d085d10234ad3617fa1b 19052 xmltooling_3.2.3-1+deb12u1.debian.tar.xz 8ba5f046c2fd81bb302a73843e86348d3fccd181 7156 xmltooling_3.2.3-1+deb12u1_source.buildinfo Checksums-Sha256: c72c9fdac41ed7058c6da1375d731daae31b503c8f0b5fee49d3a526d8274f91 2822 xmltooling_3.2.3-1+deb12u1.dsc 95b8296ffb1facd86eaa9f24d4a895a7c55a3cd838450b4d20bc1651fdf45132 620767 xmltooling_3.2.3.orig.tar.bz2 4f2107f7c3810bb37660bc9ce4ad79a4b9b1892247020ae4c201fe8cfe33b903 833 xmltooling_3.2.3.orig.tar.bz2.asc 72abed1f896dd3998b9a7efd18b0cccd6c9d6b9876281bb8e8dd95ca329cd38c 19052 xmltooling_3.2.3-1+deb12u1.debian.tar.xz 57d9d867bb72d8844a223dab78d5b4ac2fbf40f180a240a51ce69bb5c7a7700c 7156 xmltooling_3.2.3-1+deb12u1_source.buildinfo Files: 9fb7a16382b796df025a6e4cbc5435ea 2822 libs optional xmltooling_3.2.3-1+deb12u1.dsc f5920350ee964a4c38c566394894f09b 620767 libs optional xmltooling_3.2.3.orig.tar.bz2 b5a5cb6e1670d73cb8219d8f60d66ff0 833 libs optional xmltooling_3.2.3.orig.tar.bz2.asc 0fa0a36e297474767b3d51f130a7bd8d 19052 libs optional xmltooling_3.2.3-1+deb12u1.debian.tar.xz b3e9d77d97276466a01b39cea4f391e7 7156 libs optional xmltooling_3.2.3-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmSOKG4RHHdmZXJpQGRl Ymlhbi5vcmcACgkQOsj3Fkd+2yMCyxAAlPx9SE4eRmvbKinGexuAMn8I5cXLnaVf WCob0wPAXfQggssdHvELDwFxV3JljqzeLMWjHWUrCEs/wQi35ZL4kELTVdftBeZE 7mw4mXETTmImrP5ZGFX7l28EZuhNezNs7MvI581udk5xKTJICUyFy01+FvK2q7vA 9onsxNLDNpeg7ux3/GCbmbB/EWo3uRXK9gcXv4jipEokeHp0oYrksrX6VC+xMZ+z v0fOJ8MP7h/TMEX3rarfBE3Tq+glbPLwZYE1L8SDNI23v4k+oLJqZ881uX2w9f7e 0c1VwqjidX9m5gjk1CbEbQrs/ZRKw4P5kBG70FOputIC3CSitAN/YTsBHugVFAfR y7ex7vZi+na/Fm7tZVrKVUVVK/8NIuSjJLfFTyVbjTg6Hq/ikJz+Yd0wxr5d/zEi ulFSqTHjdD4n4jzvfcEZkslshJu0RrUNtj6NEXHRh/k6Yv78ZsmuFSKpBZkpUusR 70vrcFOaKGdzcwkSTwLrtRelY2p5jf5X91m2I//vpvgmmg3KyQpJENEObk0YMzlt K8vPI+l1YKA6S+nEELl8J39jDsvBwS6mx8awNQpaZGubwRcKZzWNXUk0Z1hZNyDF j1QGPj/I9Aag8pNGG6S6u2QdG0FHagFqupmvktHlCsxLJFqcSjQ4WH+Epnq6XZVY 3YFZKu2qrBw= =5aNx -----END PGP SIGNATURE-----
