Denial of Service in opensaml2 (Aktualisierung)
ID: | DSA-3321-2 |
Distribution: | Debian |
Plattformen: | Debian sid, Debian wheezy, Debian jessie, Debian stretch |
Datum: | Sa, 8. August 2015, 12:42 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0851 |
Applikationen: | OpenSAML |
Update von: | Denial of Service in xmltooling |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3321-2 security@debian.org https://www.debian.org/security/ Alessandro Ghedini August 08, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : opensaml2 CVE ID : CVE-2015-0851 Debian Bug : 794851 It was discovered that opensaml2, a Security Assertion Markup Language library, needed to be rebuilt against a fixed version of the xmltooling package due to its use of macros vulnerable to CVE-2015-0851 as fixed in the DSA 3321-1 update. For reference the original advisory text follows. The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. This could allow remote attackers to cause a denial of service (crash) via crafted XML data. For the oldstable distribution (wheezy), this problem has been fixed in version 2.4.3-4+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 2.5.3-2+deb8u1. For the testing distribution (stretch), this problem has been fixed in version $stretch_VERSION. For the unstable distribution (sid), this problem has been fixed in version $UNSTABLE_VERSION. We recommend that you upgrade your opensaml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVxddYAAoJEK+lG9bN5XPLgl0P/jqYjaW7MRUFbyNzPgUqqOz5 OzA2dUrr4HpkoGl99EwROHdqhbRPZEmONxfwW3FSe1VpWar6gT2xkr7ovBuxFa6k fX38CSeWIO4olpHDhPBKWcEMYlRptOzWXsEz5e3VPVOyUSxUhYPC/MY7WiLdenwZ F7wmpOVhuGpy2DXneUHo2XT+pOmUaj8i2Lioc1qZVBMFpMqg2OkPCuxj0KbdGfNi q0AyUJ6otqFSB2GeTIyVGXn9DBDel6XL4B97lWAN8MqFKM1x4wDYO17OMhXLiQ85 srjJcM9bq79zWmyYPC72/E3+iHODkR4e31YySFkXnGONgQ0zzg+4D2SGJHgwJpJk jfPPXGdEeMwguo0jMQRxFeCMmoybjB8lKtIeKcq3ZVW4wIrKy1Qg6vnOlzfIsGfx 1i6FIb/dh17Yh+jvFFaYfM7Qv9tDuvTm3qAk+hyhktX6V3ddMZlWjAmsbToZZF5U HUGDmKx7/3gnaCvPJZz5aGdlJ3jtKY1DW1yj91J0LGqOH+LrlrBg5J2bPVyB+Hq/ bSU4s4k4OSmo3cSoWrCEX4dpyfvjJrN15w77Li9gWA7HXI5Vty0Ser1+nJy4c0Nj lcTcSAdqnzAwuwAlhbBrC/whNchJ5tU3huwbyDIzgaNlAGCVs2f4drrjC9XoCkKL 897k2igFbSLklsZSC/jY =rakm -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/55c5d759.0986c20a.f35c5.ffffcc29@mx.google.com |