-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 3 Aug 2018 14:30:43 CEST Source: xml-security-c Binary: libxml-security-c17v5 libxml-security-c-dev xml-security-c-utils Architecture: source Version: 1.7.3-4+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wferi@debian.org> Description: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities) Closes: 905332 Changes: xml-security-c (1.7.3-4+deb9u1) stretch-security; urgency=high . * [93b87c6] New patch: Default KeyInfo resolver doesn't check for empty element content. The Apache Santuario XML Security for C++ library contained a number of code paths at risk of dereferencing null pointers when processing various kinds of malformed KeyInfo hints typically found in signed or encrypted XML. The usual effect is a crash, and in the case of the Shibboleth SP software, a crash in the shibd daemon. Upstream bug: https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491 CVE: not assigned yet Thanks to Scott Cantor (Closes: #905332) Checksums-Sha256: 1b1228439b760703062e60a6daee033dacf293a95a5feba1a81c7c6d6c873ea4 2336 xml-security-c_1.7.3-4+deb9u1.dsc 73879fa0f820ef06ae3663ff40232abdb9f8ed51a07ea43ab934bac7d9dfafc3 43404 xml-security-c_1.7.3-4+deb9u1.debian.tar.xz e5226e7319d44f6fd9147a13fb853f5c711b9e75bf60ec273a0ef8a190592583 909320 xml-security-c_1.7.3.orig.tar.gz Checksums-Sha1: ce52525c4d6b986ab5ef5ddce7255c0d694b22f7 2336 xml-security-c_1.7.3-4+deb9u1.dsc 4c20d812dcfdea3dc0c475dc627e66b1300a941f 43404 xml-security-c_1.7.3-4+deb9u1.debian.tar.xz bcbe98e0bd3695a0b961a223cce53e2f35c4681b 909320 xml-security-c_1.7.3.orig.tar.gz Files: 8ef958f00a785116827955dd242dbae2 2336 libs extra xml-security-c_1.7.3-4+deb9u1.dsc 544a5a74d240da600efe85dc30efa9b2 43404 libs extra xml-security-c_1.7.3-4+deb9u1.debian.tar.xz 481a0f29d1b6e898da79f80dbbf7b05b 909320 libs extra xml-security-c_1.7.3.orig.tar.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAltkSzcACgkQOsj3Fkd+ 2yOKZg//TYZXREU6dzGM2poOOnZSdhlfUSzuiJvUaryHaJFlzWmi6bQfSqdBa6wx HnO38SYvEVycUnjBQGPrJcVfcQv2ioorlyEUbBJ/Ey2rpXEoVX0bBTTAbU21nndz roKAMlcpxmAOveg0v+g+QVKYKzuxv1hzAs92abaTdL/n1LM3ZMUvS2ZCQ2l37SMs 3X4EczalZRMiPZs7Ys9b/bkdid+vLCxtbK2f0LYWUD0IDxgmrurHYQBOiNZJFU1F 1A84IVU3doXOfOgAblIlibFn2rTHLXdDU0/Nsw6r+gDuAUmS+YhuUqyBgTLs74zX ynH28in87KnK28KeQTBZF+r/+l22lwBcmrVXL7hyzYCi1hGOwS4LUIrNa+FeUm26 Ix3pUVTJ3ZNeougiewtHz6fOMXmD8aK9AqCcG4a5JWkSKauhoCjFpfsNXc4h1EPd lKtmVkeG3u0R3qmOVHZ6is6yiiHgEgN0XRYlp21RBzjF7D3lZSiyeQxnx6G818PZ v+5rIPlTbzuIVJFJ3dHYJwzIvZ1lE+72SjOlYRrBlyL89D0SKTQctNqnNsYwuIXL MgapsNlwZ+oQmNwDfVAlrSPRWWMeeock/v9HMpTsBYsfqU59yEOdWa3txP/ADjeV GmIqhkuumBmCM8lR7Te6qhX9o9OA5WNhjxC7Hqdxl06dooNC+L8= =+/Rv -----END PGP SIGNATURE-----
