severity 434645 important tags 434645 - security thanks Patrik Schnellmann <[EMAIL PROTECTED]> writes:
> Package: libapache2-mod-shib > Version: 1.3f.dfsg1-2 > Severity: grave > Tags: security > Tags: etch > X-Debbugs-CC: [EMAIL PROTECTED] > X-Debbugs-CC: [EMAIL PROTECTED] Denial of service attacks are generally not considered grave security bugs. Adjusting tags and priority accordingly. I'll leave the etch tag, but realistically it's unlikely that this sort of update will make it into the stable release. I would like to get it sorted out going forward, though. Do you have a recipe for running ab against a Shibboleth-protected site in a way that creates this problem? Does ab have to be able to authenticate in order to create the problem? > The Shibboleth Service Provider source code is available at > http://shibboleth.internet2.edu/downloads/ . > Binary package available from the same source do not show this behaviour > because they are compiled with patched versions of the log4cpp and > xerces-c libararies. > In other words, this bug is specific to the Debian GNU/Linux > distribution. This is due to the fact the package libapache2-mod-shib > uses the log4cpp and xerces-c libraries within the Debian > distribution. liblog4cpp4 is not thread- safe and libxerces27 handles > memory allocation wrongly at least when used with shibd. So... why did you report the bug against the Shibboleth packages when you already know that's not where the bug is? I'll reassign and file proper bug reports when I get a chance. My understanding was that the log4cpp in Debian already had the patches applied by the Shibboleth project, but I may have been incorrect in that and this indicates I probably am. The maintainer seemed willing to apply them the last time I talked to him about them. I doubt the xerces-c change is relevant to this. All it does is reduce memory usage; it shouldn't be causing segfaults. I'm still hoping that the Shibboleth folks will get the xerces-c maintainers to take that change rather than making Debian patch xerces-c itself, although at the moment they don't seem to be trying that hard. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
