Your message dated Fri, 20 Nov 2009 15:34:17 +0000
with message-id <e1nbvv3-0001ss...@ries.debian.org>
and subject line Bug#555608: fixed in shibboleth-sp2 2.3+dfsg-1
has caused the Debian Bug report #555608,
regarding CVE-2009-3300
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
555608: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555608
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: shibboleth-sp2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for shibboleth-sp2.
CVE-2009-3300[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in the Identity
| Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the
| Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2
| Middleware Initiative Shibboleth allow remote attackers to inject
| arbitrary web script or HTML via URLs that are encountered in
| redirections, and appear in automatically generated forms.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3300
http://security-tracker.debian.org/tracker/CVE-2009-3300
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkr5XtEACgkQNxpp46476apFCACbBss6JYADgu8V21ve+ETiRWxR
udUAn2O3g+VpKRxIbSAT9/pFA/gL851Y
=K2dl
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: shibboleth-sp2
Source-Version: 2.3+dfsg-1
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp2, which is due to be installed in the Debian FTP archive:
libapache2-mod-shib2_2.3+dfsg-1_i386.deb
to main/s/shibboleth-sp2/libapache2-mod-shib2_2.3+dfsg-1_i386.deb
libshibsp-dev_2.3+dfsg-1_i386.deb
to main/s/shibboleth-sp2/libshibsp-dev_2.3+dfsg-1_i386.deb
libshibsp-doc_2.3+dfsg-1_all.deb
to main/s/shibboleth-sp2/libshibsp-doc_2.3+dfsg-1_all.deb
libshibsp4_2.3+dfsg-1_i386.deb
to main/s/shibboleth-sp2/libshibsp4_2.3+dfsg-1_i386.deb
shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
to main/s/shibboleth-sp2/shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
shibboleth-sp2_2.3+dfsg-1.diff.gz
to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg-1.diff.gz
shibboleth-sp2_2.3+dfsg-1.dsc
to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg-1.dsc
shibboleth-sp2_2.3+dfsg.orig.tar.gz
to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <r...@debian.org> (supplier of updated shibboleth-sp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 11 Nov 2009 14:39:44 -0800
Source: shibboleth-sp2
Binary: libapache2-mod-shib2 libshibsp4 libshibsp-dev libshibsp-doc
shibboleth-sp2-schemas
Architecture: source i386 all
Version: 2.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org>
Changed-By: Russ Allbery <r...@debian.org>
Description:
libapache2-mod-shib2 - Federated web single sign-on system (Apache module)
libshibsp-dev - Federated web single sign-on system (development)
libshibsp-doc - Federated web single sign-on system (API docs)
libshibsp4 - Federated web single sign-on system (runtime)
shibboleth-sp2-schemas - Federated web single sign-on system (schemas)
Closes: 555608
Changes:
shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
.
[ Russ Allbery ]
* Urgency set to high for security fix.
* New upstream release.
- SECURITY: Partial fix for improper handling of URLs that could be
abused for script injection and other cross-site scripting attacks.
The complete fix also requires newer xmltooling and opensaml2
packages. (Closes: #555608, CVE-2009-3300)
- Avoid shibd crash on dead memcache server.
- Pass the affiliation name to the session initiator.
- Correctly handle a bogus ACS.
- Allow overriding the URL that's passed to the DS.
- Add schema types for new attribute decoders introduced in 2.2.
- Handle success with partial logout in the logout UI code.
- Fix POST data preservation with empty parameters and empty forms.
- Fix SAML 1 specification of attributes in the query plugin.
- Shorten ePTId-type persistent identifiers.
- Use an ID rather than a whole doc reference for generated metadata.
- Fix spelling of scopeDelimiter in the configuration parser, making
the code and documentation match the schema.
* Rename library package for upstream SONAME bump.
* Tighten build and package dependencies on xmltooling and opensaml2 to
require the versions with the security fix.
* Fix watch file for the new version mangling.
* Improve documentation of DAEMON_OPTS in /etc/default/shibd.
* Remove unnecessary patches to upstream files regenerated during the
build from the source package diff.
.
[ Faidon Liambotis ]
* Run make install with NOKEYGEN=1 and stop rm-ing generated
certificates. Fixes FTBFS.
.
[ Ferenc Wagner ]
* Run shibd as non-root.
Checksums-Sha1:
759a0af4d3362c84ba5fe61039d57032b8b83ec6 1636 shibboleth-sp2_2.3+dfsg-1.dsc
a15ac5bf6c65a26e44a8b5be2fc194edc6574067 807364
shibboleth-sp2_2.3+dfsg.orig.tar.gz
dcf8a12d5245ab3c35c2a0a7881e27f5c94c6b11 17637
shibboleth-sp2_2.3+dfsg-1.diff.gz
cd104c7ad311946f36133666c42dae4c9d9089f9 225598
libapache2-mod-shib2_2.3+dfsg-1_i386.deb
0700e3080a2f566ef7860e78c2cea34e1839cf14 951818 libshibsp4_2.3+dfsg-1_i386.deb
eda10a972f35975408e0027d9bab40b852883f88 42964
libshibsp-dev_2.3+dfsg-1_i386.deb
0409cb229a24ab3629bb34d4a7e28c0bed424032 331962
libshibsp-doc_2.3+dfsg-1_all.deb
34777ccd22bfcaa068c6e686bc14141a3b256890 18268
shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
Checksums-Sha256:
72e530cd880560a27c1d6f1ed57eacae54693ac0064fae6674e61133e411cfd7 1636
shibboleth-sp2_2.3+dfsg-1.dsc
5a19c7078dd67d42a97630ea82096bdeb0f09d3a070e67cf7cea9281487e1e88 807364
shibboleth-sp2_2.3+dfsg.orig.tar.gz
865c4fdfa67219225efccf3a907c98778e33f4e55fa27ea52e9f944c569fd47e 17637
shibboleth-sp2_2.3+dfsg-1.diff.gz
e35dc4e7d48d849dd91e102b9971a894d3d08ec401b147abe1ce63cceef11e0e 225598
libapache2-mod-shib2_2.3+dfsg-1_i386.deb
6225d432dfbb5ecd28a92952619896fd5a9a8249253fd00ad0bab209d94369d2 951818
libshibsp4_2.3+dfsg-1_i386.deb
af00b4f99e8edc763b63eab82f5b2c25830d6b908f9d2b1215b5917aca463a07 42964
libshibsp-dev_2.3+dfsg-1_i386.deb
58ad0b6f6df170f3b3602ad9d7cc296e2b962f03cde2be447b57e6ca9b7612fa 331962
libshibsp-doc_2.3+dfsg-1_all.deb
cfb3c93b85e3d930cd8682748765c15e12212afe69d875762a6f6edd4ed5b9ce 18268
shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
Files:
2f88c18d3f409d31ec7483ef3eaca5a7 1636 web extra shibboleth-sp2_2.3+dfsg-1.dsc
6d674cfe5862654ab05831a4a5fc2d2b 807364 web extra
shibboleth-sp2_2.3+dfsg.orig.tar.gz
bbf138cb1fb1604452b3ebcbde5ad110 17637 web extra
shibboleth-sp2_2.3+dfsg-1.diff.gz
09c2a32811c93e7b97fcaec16f6166d5 225598 httpd extra
libapache2-mod-shib2_2.3+dfsg-1_i386.deb
c7315ddf839d59cd17071ce911baef3a 951818 libs extra
libshibsp4_2.3+dfsg-1_i386.deb
53869c333d823ff96883f646a2b06e21 42964 libdevel extra
libshibsp-dev_2.3+dfsg-1_i386.deb
d6d2b1fbc88bcb026d4d17ba2885c5cd 331962 doc extra
libshibsp-doc_2.3+dfsg-1_all.deb
b70882e72d1c158c7a661db696855249 18268 text extra
shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkr7Vs0ACgkQ+YXjQAr8dHaxrACeJ+6wMT/7bQqGfsRIG2gRzZrw
2dgAnRZJ4loHHKJ8zhallh+Lw/98uWp4
=duds
-----END PGP SIGNATURE-----
--- End Message ---
