Plans for Shibboleth SP 2.1 debian packages

[Scott Cantor]

Russ Allbery wrote on 2009-11-05:
> 3. Security fixes for the version of Shibboleth 2.x that released with
>    Debian lenny.  This is where the security-only portions are needed.
>    I don't have a good read on how serious this vulnerability is.

My official position is that it's moderately serious for the SP's own
operations and potentially very serious for deployed applications but very
dependent on their session handling details. All XSS issues have more or
less the same kinds of widely varying impact, so whatever the usual
judgement is would apply.

>    It's going to be difficult for the security team to do the update
through a
>    regular security advisory due to the SONAME change and the multiple
>    packages involved, so I'm sure they'd prefer to do this through the
>    stable update process, but that means the new packages wouldn't be
>    released until the next stable update.  I don't know how acceptable
>    that is from a security standpoint.

It's likely possible to come up with a backported fix that doesn't change
the sonames, it just requires a lot more code duplication that I wasn't
about to do upstream. But that confirms the concern I had at the time about
what would happen with the fix.

Do you think it makes more sense to consider bundling all of the libraries
into the one master package? There's really no demand for these libraries
separately, or at least not enough to make your life so hard.
 
> 4. Security fixes for the Shibboleth 1.x that released with lenny.  This
>    too will want security-only patches.

Those are ABI neutral (because the fix is duplicated in several places).

Anyway, I have all of the relevant changes tracked and I can supply the svn
diffs for each package when you need them.

-- Scott