-
xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high
* [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws.
These flaws allow for changes to an XML document that do not break a
digital signature but alter the user data passed through to applications
enabling impersonation attacks and exposure of protected information.
https://shibboleth.net/community/advisories/secadv_20180227.txt
https://issues.shibboleth.net/jira/browse/CPPXT-128
The Add-disallowDoctype-to-parser-configuration.patch is not effective
under Xerces 3.1 in jessie, but provides more generic protection under
Xerces 3.2 against issues like CVE-2018-0486. It's included here for
completeness and to avoid a conflict applying the CVE-2018-0489 patch.
-- Ferenc Wágner <email address hidden> Thu, 22 Feb 2018 09:50:20 +0100
-
xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high
* Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
Shibboleth SP software crashes on well-formed but invalid XML
-- Ferenc Wagner <email address hidden> Sun, 19 Jul 2015 19:06:38 +0200
-
xmltooling (1.5.3-2) unstable; urgency=low
* Upload to unstable.
-- Russ Allbery <email address hidden> Thu, 11 Jul 2013 18:56:32 -0700
-
xmltooling (1.4.2-5) unstable; urgency=low
* Revert changes to add symbols file. Due to churn in weak symbols for
inlined functions, it doesn't appear maintainanable with existing
tools, and for this library the shlibs behavior seems sufficient.
* Update Autotools build files via dh_autoreconf.
* Force linking with -lpthread, working around a bug in libtool that
drops the linkage because it uses -nostdlib. See #468555.
-- Russ Allbery <email address hidden> Tue, 31 Jan 2012 16:35:46 -0800
