Changelog
xmltooling (1.0-2+lenny1) stable-security; urgency=high
* SECURITY: Certificate subject names were incorrectly matched against
trusted "key names" when they contained nul characters. This affects
only Shibboleth deployments relying on the "PKIX" style of trust
validation, used in the absence of explicit certificate information in
the SAML metadata provided to the SP and reliance on certificate
authorities found in the <KeyAuthority> metadata extension element.
See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>
* SECURITY: Correctly handle decoding of malformed URLs, closing a
possibly exploitable buffer overflow.
See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>
* SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML
metadata to honor restrictions to signing or encryption. This is a
partial fix; the complete fix also requires a new version of the
OpenSAML library.
See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>
-- Russ Allbery <email address hidden> Tue, 22 Sep 2009 19:23:54 -0700