-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 06 Nov 2009 15:09:04 -0800 Source: opensaml2 Binary: libsaml6 libsaml2-dev opensaml2-tools opensaml2-schemas libsaml2-doc Architecture: source i386 all Version: 2.3-1 Distribution: unstable Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org> Changed-By: Russ Allbery <rra@debian.org> Description: libsaml2-dev - Security Assertion Markup Language library (development) libsaml2-doc - Security Assertion Markup Language library (API docs) libsaml6 - Security Assertion Markup Language library (runtime) opensaml2-schemas - Security Assertion Markup Language library (XML schemas) opensaml2-tools - Security Assertion Markup Language command-line tools Changes: opensaml2 (2.3-1) unstable; urgency=high . * Urgency set to high for security fix. * New upstream release. - SECURITY: Partial fix for improper handling of URLs that could be abused for script injection and other cross-site scripting attacks. The complete fix also requires newer xmltooling and shibboleth-sp2 packages. (CVE-2009-3300) - Fix crash on assertions with missing SubjectConfirmation. - Remove inline functions except for templates or RAII patterns. - Remove xml from the inclusive prefix list to avoid bugs in Apache Java xmlsec. - Honor digest algorithm in whole document signing with empty URI. * Rename library package for upstream SONAME bump. * Build-depend on libxmltooling-dev 1.3 or later and make libsaml2-dev depend on libxmltooling-dev 1.3 or later for the fixes for URL sanitization. * Build-depend on libxml-security-c-dev 1.5 or later to ensure that all builds are consistent. Checksums-Sha1: 683fc5326924613b0740ba69f78f02eb05b06eb0 1444 opensaml2_2.3-1.dsc d5b29a25a26a85957379279280b0f530146ec185 926057 opensaml2_2.3.orig.tar.gz a6d5128cf0d8e6fa9e32736af794059d682887e0 7369 opensaml2_2.3-1.diff.gz 920c448d41521412a700feb22f090c295375c409 1204852 libsaml6_2.3-1_i386.deb aed66cdfbaafcc044a578cedc30fe7fc5ff70b20 47456 libsaml2-dev_2.3-1_i386.deb 1a7500721bf927ee9e67e3f8fabd60cfeed93594 25092 opensaml2-tools_2.3-1_i386.deb 9df5bdd48f7262d93abf688d6e0aa495a11bdf44 27822 opensaml2-schemas_2.3-1_all.deb df24ea17dcbb2f802e136e7af24dc17a79d052c7 421974 libsaml2-doc_2.3-1_all.deb Checksums-Sha256: 4109a98feb891f28db8fd3fe70d94f30e865b27c6bd73d76fbc908407b4561c7 1444 opensaml2_2.3-1.dsc 027b3b9a6f5c147dd434d52e674ca238672412595dfa18675a70bafc5495e2fd 926057 opensaml2_2.3.orig.tar.gz 3566007f689f9bf6aea2897166fc92998715197b9e7a61d55a40a4d04deff89c 7369 opensaml2_2.3-1.diff.gz d47d2d53f3949405b497cb4bc392ef10fcab1f413e1680571ad3018f1f576175 1204852 libsaml6_2.3-1_i386.deb 079999da97ccbdcc230f8e31277df61cdb62f9299848f00aadeb456c7704540b 47456 libsaml2-dev_2.3-1_i386.deb df189368250b95cb85c8af8fda122cd69ec27f4e7471ba880764118a9dcc23f7 25092 opensaml2-tools_2.3-1_i386.deb 1ef7c76b70fbd57068ad6bd63e4e49db1db79636f44e440147f6776c1457f7bd 27822 opensaml2-schemas_2.3-1_all.deb fe6347a873320640608592005e746ec026a030bb19a4843f8c964fc3e929af4f 421974 libsaml2-doc_2.3-1_all.deb Files: 6001f08d173376d0601ef58031ffe068 1444 libs extra opensaml2_2.3-1.dsc 9695d40cb28519c2cde8211cd1c3dc69 926057 libs extra opensaml2_2.3.orig.tar.gz 3247ba2b6dfdeafe970828855afa4a75 7369 libs extra opensaml2_2.3-1.diff.gz 4c762995e7c332852592b34768125f40 1204852 libs extra libsaml6_2.3-1_i386.deb 44746d3bd0872916b557092f8e319417 47456 libdevel extra libsaml2-dev_2.3-1_i386.deb d4070c52ee88372def335281c46f260a 25092 text extra opensaml2-tools_2.3-1_i386.deb 4b1051249d950993a8cdf024487e5e35 27822 text extra opensaml2-schemas_2.3-1_all.deb 791bad621a17f7e663e3dc836bf189d4 421974 doc extra libsaml2-doc_2.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkr5swcACgkQ+YXjQAr8dHbVggCeNQvx2fTwladWELVFCbabfGyk e70AoJJfmQ7xTL94HQOGzWI2r3BKsD+9 =LCS8 -----END PGP SIGNATURE----- Accepted: libsaml2-dev_2.3-1_i386.deb to main/o/opensaml2/libsaml2-dev_2.3-1_i386.deb libsaml2-doc_2.3-1_all.deb to main/o/opensaml2/libsaml2-doc_2.3-1_all.deb libsaml6_2.3-1_i386.deb to main/o/opensaml2/libsaml6_2.3-1_i386.deb opensaml2-schemas_2.3-1_all.deb to main/o/opensaml2/opensaml2-schemas_2.3-1_all.deb opensaml2-tools_2.3-1_i386.deb to main/o/opensaml2/opensaml2-tools_2.3-1_i386.deb opensaml2_2.3-1.diff.gz to main/o/opensaml2/opensaml2_2.3-1.diff.gz opensaml2_2.3-1.dsc to main/o/opensaml2/opensaml2_2.3-1.dsc opensaml2_2.3.orig.tar.gz to main/o/opensaml2/opensaml2_2.3.orig.tar.gz