Changelog
xmltooling (3.2.0-3+deb11u1) bullseye-security; urgency=high
* [6afa199] New patch: CPPXT-157 - Install blocking URI resolver into
Santuario.
Fix a denial of service vulnerability: Parsing of KeyInfo elements can
cause remote resource access.
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.
Thanks to Scott Cantor for the fix. (Closes: #1037948)
-- Ferenc Wágner <email address hidden> Wed, 14 Jun 2023 22:44:03 +0200