Proposed security fixes for Shibboleth 1.x (lenny)

Scott Cantor cantor.2 at osu.edu
Wed Sep 23 20:07:25 UTC 2009


Russ Allbery wrote on 2009-09-22:
> Here is the diff for opensaml and shibboleth-sp for lenny.  I also
> backported the same fixes to the etch versions, which required manually
> applying the patch for certificate naming.  Hopefully I didn't break
> anything.

Are they on different 1.x releases? I wouldn't expect too much difference in
these spots, but it's been a while.

> and here is the more substantial shibboleth-sp patch:

I think you're missing a set of changes to one of the source files in
shib-target (possibly shib-target.cpp?) with a bunch of copies of the URL
fix. The code's a mess. It's in one spot in the new version, but not here.

If you can't find that patch, let me know and I'll look more.

-- Scott






More information about the Pkg-shibboleth-devel mailing list