Security fix for Shibboleth SP and nul character in certs
Scott Cantor
cantor.2 at osu.edu
Fri Sep 18 13:50:58 UTC 2009
Russ Allbery wrote on 2009-09-17:
> Scott, is this the correct hunk of the multiple changes between 2.2 and
> 2.2.1 to pull out for the security vulnerability?
No, that's an unrelated fix in the htaccess code that was incorrectly
denying access with certain policies (so not a security bug, just a bug).
The cert name fix for 2.x is this:
http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=6
06
That particular fix is in xmltooling.
For the old 1.3 series, it's elsewhere, do you need that also?
> There were a fair number of other changes, and my C++ was never very good,
> so I'm not completely sure I identified the right hunk or got all of it.
If you tell me which fixes you want the patches for I can probably identify
them all, but in general you can use the issues list in Jira and link to the
"Fix for Version" lists to see the fixed issues and usually they'll link to
the svn rev that shows the diff.
There were two security issues formally identified for the 2.2.1 release,
though the other one is less serious. That one is addressed by these bugs:
https://bugs.internet2.edu/jira/browse/CPPXT-34
https://bugs.internet2.edu/jira/browse/CPPOST-28
-- Scott
More information about the Pkg-shibboleth-devel
mailing list