Control: tags -1 + confirmed
On 2020-01-12 14:39, Ferenc Wágner wrote:
+xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
+
+ * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
+ combinations of key content.
+ Particular KeyInfo combinations result in incomplete DSA key
structures
+ that OpenSSL can't handle without crashing. In the case of
Shibboleth
+ SP software this manifests as a crash in the shibd daemon.
Exploitation
+ is believed to be possible only in deployments employing the PKIX
trust
+ engine, which is generally recommended against.
+ The upstream patches backported from 2.0.2 apply analogous
safeguards to
+ the RSA and ECDSA key handling as well.
Please go ahead.
Regards,
Adam
