Changelog
xmltooling (1.6.0-4+deb9u1) stretch-security; urgency=high
[ Russ Allbery ]
* [4e7dec2] Remove myself from Uploaders
[ Ferenc Wágner ]
* [2e5cad6] New patch fixing CVE-2018-0486: vulnerability to forged user
attribute data.
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)
processing.
Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.
While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.
https://shibboleth.net/community/advisories/secadv_20180112.txt
CPPXT-127 - Block entity reference nodes during unmarshalling.
https://issues.shibboleth.net/jira/browse/CPPXT-127
* [91c50ae] New patches fixing CVE-2018-0489: additional data forgery flaws.
These flaws allow for changes to an XML document that do not break a
digital signature but alter the user data passed through to applications
enabling impersonation attacks and exposure of protected information.
https://shibboleth.net/community/advisories/secadv_20180227.txt
https://issues.shibboleth.net/jira/browse/CPPXT-128
The Add-disallowDoctype-to-parser-configuration.patch is not effective
under Xerces 3.1 in stretch, but provides more generic protection under
Xerces 3.2 against issues like CVE-2018-0486. It's included here for
completeness and to avoid a conflict applying the CVE-2018-0489 patch.
-- Ferenc Wágner <email address hidden> Thu, 22 Feb 2018 10:49:29 +0100