Lenny fixes for opensaml2 and shibboleth-sp2

Russ Allbery rra at debian.org
Thu Nov 26 21:46:37 UTC 2009


Moritz Muehlenhoff <jmm at inutil.org> writes:
> On Thu, Nov 26, 2009 at 05:23:20PM +0100, Ferenc Wagner wrote:

>> Security team,

>> I'm backporting the fixes to #555608 (CVE-2009-3300) into Lenny.
>> Upstream solved the issue by introducing new static class members in
>> xmltooling, which lies at the bottom of the library stack, and invoking
>> them from the necessary places.  This resulted in soname changes in
>> libxmltooling, libsaml and libshibsp, which I'm trying to avoid.  It
>> seems readily possible in the opensaml library, but not quite in
>> libshibsp, so I ask for your opinion: may I add two new exported
>> symbols to libshibsp, or should I add the same function definitions to
>> each component?  Or even, should I add static functions into header
>> files (which would mostly go unused, raising warnings from GCC)?

> I'm adding Russ Allbery to CC, he wrote he was working on an update as
> well, we should agree on a common solution.

> Personally I'd be fine with new exported symbols, but we should let
> Russ comment first.

I'm pretty distracted at the moment with company for the US Thanksgiving
holiday, and therefore haven't looked at the fix in depth, but Ferenc's
approach seems reasonable to me.  New exported symbols in the libshibsp
package shouldn't matter to anything else, since nothing outside of that
source package is linked against it.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-shibboleth-devel mailing list