-
xmltooling (1.6.4-1ubuntu2.1) bionic-security; urgency=high
* SECURITY UPDATE: uncaught exception on malformed XML declaration
Invalid data in the XML declaration causes an exception of a type that
was not handled properly in the parser class and propagates an
unexpected exception type.
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.
- debian/patches/CVE-2019-9628.patch
- CVE-2019-9628
- https://shibboleth.net/community/advisories/secadv_20190311.txt
- LP: #1819912
-- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100
-
xmltooling (1.6.4-1ubuntu2) bionic; urgency=medium
* Switch back to openssl1.0 via newly-added libcurl-openssl1.0-dev, since
libxml-security is not ported to openssl1.1.
-- Steve Langasek <email address hidden> Tue, 06 Mar 2018 10:04:50 +0100
-
xmltooling (1.6.4-1ubuntu1) bionic; urgency=medium
* Switch build-depends for OpenSSL 1.1.
-- Steve Langasek <email address hidden> Wed, 28 Feb 2018 14:19:08 -0800
-
xmltooling (1.6.4-1) unstable; urgency=high
* [6c27b19] New upstream security release 1.6.4
DSA-4126-1, CVE-2018-0489: additional data forgery flaws
These flaws allow for changes to an XML document that do not break a
digital signature but alter the user data passed through to applications
enabling impersonation attacks and exposure of protected information.
https://shibboleth.net/community/advisories/secadv_20180227.txt
https://issues.shibboleth.net/jira/browse/CPPXT-128
* [621ab19] Refresh our patches
-- Ferenc Wágner <email address hidden> Wed, 28 Feb 2018 10:39:05 +0100
-
xmltooling (1.6.3-1build1) bionic; urgency=medium
* No-change rebuild against libcurl4
-- Steve Langasek <email address hidden> Wed, 28 Feb 2018 08:55:18 +0000
-
xmltooling (1.6.3-1) unstable; urgency=medium
[ Russ Allbery ]
* [d7ea37c] Remove myself from Uploaders
[ Ferenc Wágner ]
* [69aa1e6] New upstream release
* [c0bccbb] Refresh our patches
* [5aff9d0] Update gbp configuration
- Move pristine-tar = True into the DEFAULT section
- Add merge-mode = replace into the import-orig section
* [ca00359] Update Standards-Version to 4.1.3 (no changes required)
* [9cee97e] Migrate to salsa.debian.org/shib-team
* [3eaf72e] Lintian does not emit embedded-javascript-library for Doxygen
anymore
-- Ferenc Wágner <email address hidden> Mon, 22 Jan 2018 10:54:47 +0100
-
xmltooling (1.6.2-1) unstable; urgency=medium
* [9a9308f] Use HTTPS in debian/watch
* [91be34e] New upstream release (1.6.1)
* [360556e] Refresh our patches
* [e9fc2e5] New upstream release (1.6.2)
* [5166246] Refresh our patches
* [04ee5fc] Update Standards-Version to 4.1.1 (no changes needed)
-- Ferenc Wágner <email address hidden> Mon, 20 Nov 2017 08:48:10 +0100
-
xmltooling (1.6.0-5build1) bionic; urgency=medium
* No change rebuild for libxerces-c3.2
-- Iain Lane <email address hidden> Mon, 20 Nov 2017 15:52:59 +0000
-
xmltooling (1.6.0-5) unstable; urgency=medium
* [7362bda] Provide a GCC 7 build with strict enough shlibs.
OpenSAML fails to build with GCC 7 with XMLTooling built with GCC 6,
because its samlsign executable does not find a symbol whose mangling
changed. So build with GCC 7 from now on, and include a corresponding
shlibs dependency to force OpenSAML pull in this build.
This change must be left out of backports. (Closes: #874654)
* [d74a461] Follow upstream URL change in watch file
* [da7692d] Switch to using HTTPS in the debian/copyright URLs
* [e42dab7] Update Standards-Version to 4.1.0.
The "extra" priority became deprecated, promote to "optional".
-- Ferenc Wágner <email address hidden> Fri, 08 Sep 2017 21:12:25 +0200