Hi Emmanuel, Thanks for the quick feedback.
On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote: > Hi Salvatore, > > Thank you for the report. Looking at the commit r1680 mentioned on the > security tracker I fail to see how it addresses the vulnerability > described. I suspect this is actually a vulnerability in a dependency > shared by opensaml and idp (maybe xmltooling which contains the > PKIXValidationInformationResolver class, or shib-common with a recent > commit referring to the same SIDP-624 issue [1]). Note the commit reference was added by me, while searching to isolate were the problem lies, i.e. searching for relevant commits between tag 2.6.4 and 2.6.5. I don't understand though libopensaml2-java well enough. Upstream advisory just say: Affected Versions ================= Versions of OpenSAML Java < 2.6.5 [...] OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX trust engines are in use. PKIX trust engine implementations in this version will fail a candidate credential if no trusted names are resolved for the relevant entityID; the existing PKIX resolver implementations now also automatically treat the target entityID as an implicit trusted name. If this is not feasible, ensure that ALL entity data resolved via instances of PKIXValidationInformationResolver have at least 1 trusted name which is resolveable. For resolvers based on SAML metadata, see IdP recommendations below. [...] https://bugzilla.redhat.com/show_bug.cgi?id=1196619 and https://bugzilla.novell.com/show_bug.cgi?id=922199 both don't give much more information. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
