-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 5 Aug 2018 20:09:30 CEST Source: xml-security-c Binary: libxml-security-c17 libxml-security-c-dev xml-security-c-utils Architecture: source i386 Version: 1.7.2-3+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wferi@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Closes: 905332 Changes: xml-security-c (1.7.2-3+deb8u1) jessie-security; urgency=high . * [109db8e] New patch: Default KeyInfo resolver doesn't check for empty element content. The Apache Santuario XML Security for C++ library contained a number of code paths at risk of dereferencing null pointers when processing various kinds of malformed KeyInfo hints typically found in signed or encrypted XML. The usual effect is a crash, and in the case of the Shibboleth SP software, a crash in the shibd daemon. Upstream bug: https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491 CVE: not assigned yet Thanks to Scott Cantor (Closes: #905332) * [4dafdb4] Replace Russ in Uploaders Checksums-Sha256: 06f1c4bf0ec2c611a877231f202d2006b49aa14c305e34bf8a943b501859fa83 2239 xml-security-c_1.7.2-3+deb8u1.dsc a4bf1c14c49a550f0e3a0485f406771f064ac9e7b29f637ff69ee6c4d883e78c 15664 xml-security-c_1.7.2-3+deb8u1.debian.tar.xz e25247b8410fe0d1fa103f6b77b5b13a48389c7642a6d1727cc5100964e03dcc 276534 libxml-security-c17_1.7.2-3+deb8u1_i386.deb 9fbeba7fcfafe411a0597537f120ccdebb62fc7c9921bb3e9308b3315fb57182 111744 libxml-security-c-dev_1.7.2-3+deb8u1_i386.deb 33d17490d2b77f057d52bf28c33fd093e6dfb14bf3caf6acba8d8e0d71715e0a 126956 xml-security-c-utils_1.7.2-3+deb8u1_i386.deb d576b07bb843eaebfde3be01301db40504ea8e8e477c0ad5f739b07022445452 875465 xml-security-c_1.7.2.orig.tar.gz Checksums-Sha1: 527b692d8fd65a1bfb3e6de6e6db7dc643ae01a4 2239 xml-security-c_1.7.2-3+deb8u1.dsc 79a1bb81d1cd619143fbc0ed45a79d065dc0355e 15664 xml-security-c_1.7.2-3+deb8u1.debian.tar.xz 1cf115f7edbee8f2c15f153d2a88777ff64410bb 276534 libxml-security-c17_1.7.2-3+deb8u1_i386.deb bba1bbe59aab021844834c72f4ba85cee972876a 111744 libxml-security-c-dev_1.7.2-3+deb8u1_i386.deb 5a50935522a15f8664cb42576d7303deddab7f3c 126956 xml-security-c-utils_1.7.2-3+deb8u1_i386.deb fee59d5347ff0666802c8e5aa729e0304ee492bc 875465 xml-security-c_1.7.2.orig.tar.gz Files: f8887d07e1202930ad752038fab9237a 2239 libs extra xml-security-c_1.7.2-3+deb8u1.dsc ffd538b1de61d52b11504cdc09406d21 15664 libs extra xml-security-c_1.7.2-3+deb8u1.debian.tar.xz 2c3010a2c1e069e5815b31bc4fc05b08 276534 libs extra libxml-security-c17_1.7.2-3+deb8u1_i386.deb ca7441d20a5059f4eb83a570df38e397 111744 libdevel extra libxml-security-c-dev_1.7.2-3+deb8u1_i386.deb d6b0c075ab6fc5cac1c4960bc06a447c 126956 utils extra xml-security-c-utils_1.7.2-3+deb8u1_i386.deb 2487e00569f6465f7070389e40a3d84f 875465 libs extra xml-security-c_1.7.2.orig.tar.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAltnPX0ACgkQOsj3Fkd+ 2yOWnxAArhLF+oCK77q5wCbSRvMH36mNrXkyNZYq8Pq9GsnycFN2EzJxwZk6c3T8 eyNrEoKfGwrl+fhtD/Tc1juxQhilt9wsEw0CEP58AamLn1T9/uXJBcY3kK1CJPuo mhBorKpu6h/jb58y2tEYm0DuN3YuqtSr39Vah3qXHNZgehJEvlfYlfGEFJTnPDtN +9CvxN/p8urZz7lMpvxEkaRWr1ONQSSMexK/TZvf5IxW6AxifNj5qzuETHj/NLOl a1+MTKK6U8tiBTX5aJ3lnLqBBO4QA9zXNPjWkVxJRW3J3TypzkK+X20l/g6wPDRF pEVIvjMSc1lbcJl5sAoQzvwEs8LohdFonk7wSu3fx16ZIyw4aHWxrYDItHATg5yD G6yG9HW0dsOzScaeR5awJcWYvb1179G8oR7artKKJcgPyy5FqOQfBN+7SELm11U4 XFd8F7h2t2ElSA0jSuCFETCx8emqJJcwrBvM/l2AlrLos3D6QVNqn1TtOuj/HoL1 8iBPtRZfrKFmAnetZFQ6OtpdV2P99+nMtIHfhTYjhx/L1bCzQZNN5otbM68AcLVX eYgJsWtX7ETI87u7SbBepaDDm3m99sZvzqqfUXTS0uBLTDIzgjoG4yOpZDuRTbGe g4/CqsA6r2m3mSV1K6wMmPYUwVUmyrZvY/4AT1LHq04jqoAgVsE= =VwCs -----END PGP SIGNATURE-----
