The patch proposed by the Shibboleth developers is simple enough and would appear to apply to earlier versions. Indeed, the bug has already been patched in Debian stretch (2.6.0+dfsg1-4+deb9u1) and jessie (2.5.3+dfsg-2+deb8u1) which appear to be the original packages from which these derive. The Debian bug report is at https://bugs.debian.org /cgi-bin/bugreport.cgi?bug=881857
Having spent most of my career working with FreeBSD (which has a completely different package model), I'm not confident in my understanding of the relationship between Debian and Ubuntu or of my ability to adequately deal with repackaging this. ** Bug watch added: Debian Bug tracker #881857 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881857 ** Summary changed: - Shibboleth Service Provider Security Advisory [15 November 2017] + CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732606 Title: CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml2/+bug/1732606/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
