Proposed security patch for xmltooling
Russ Allbery
rra at debian.org
Tue Sep 22 21:53:18 UTC 2009
"Scott Cantor" <cantor.2 at osu.edu> writes:
> Russ Allbery wrote on 2009-09-22:
>> There were some changes that seemed to be related to UTF8 to UTF-8
>> naming changes that I didn't pull up since I didn't think they were
>> security-related, but I'm a bit unsure on what patches went into the
>> fix for URL decoding, so I could have gotten that wrong.
> The XML encoding thing? You could consider that a security fix in the
> sense that it creates a bit of a DoS vector if you prevent somebody from
> obtaining updated metadata. The backup copy that the SP was writing out
> isn't readable by some tools. But it's somewhat obscure, and certainly
> didn't rise to the level of an advisory, no.
Okay, thanks, I'll leave that one.
Thank you *so* much for your help on this. Your support here has been
truly excellent.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list