Shibboleth security fixes for Debian lenny
Russ Allbery
rra at debian.org
Fri Sep 18 02:01:42 UTC 2009
I've just pushed updates to the lenny branches of xmltooling, opensaml2,
and shibboleth-sp2, which backport the security fixes for the
vulnerabilities:
http://shibboleth.internet2.edu/secadv/secadv_20090826.txt
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
I've tested the resulting packages against TestShib Two and they work to
that extent, but as before I'm not in a position to do any sophisticated
testing. If you're in a position to test and could give it a try, that
would be great. The packages should build without any trouble on lenny.
I'm going to contact the Debian security team and see how they want to
handle these vulnerabilities. I'm guessing that stable updates will be
the preferred way for all but the xmltooling problem, but since the
xmltooling problem is a potential buffer overflow, that may get a regular
advisory.
Let me know if building from Git is a challenge and you need pre-built
packages in a public repository for testing. I can arrange that.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list