group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1743762] Re: Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486]

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1743762@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Jan 2018 00:40:44 -0000
Reply-to: Bug 1743762 <1743762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package xmltooling -
1.5.3-2+deb8u2build0.14.04.1

---------------
xmltooling (1.5.3-2+deb8u2build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1743762)

xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high

  * [5c2845b] Add gbp.conf for jessie
  * [0ffc343] Convert our single patch into a proper patch queue
  * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
    data
    The Service Provider software relies on a generic XML parser to process
    SAML responses and there are limitations in older versions of the parser
    that make it impossible to fully disable Document Type Definition (DTD)
    processing.
    Through addition/manipulation of a DTD, it's possible to make changes
    to an XML document that do not break a digital signature but are
    mishandled by the SP and its libraries. These manipulations can alter
    the user data passed through to applications behind the SP and result
    in impersonation attacks and exposure of protected information.
    While the use of XML Encryption can serve as a mitigation for this bug,
    it may still be possible to construct attacks in such cases, and the SP
    does not provide a means to enforce its use.
    CPPXT-127 - Block entity reference nodes during unmarshalling.
    https://issues.shibboleth.net/jira/browse/CPPXT-127
    Thanks to Scott Cantor
  * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself

 -- Steve Beattie <sbeattie@xxxxxxxxxx>  Wed, 17 Jan 2018 14:38:30 -0800

** Changed in: xmltooling (Ubuntu Trusty)
       Status: Triaged => Fix Released

** Changed in: xmltooling (Ubuntu Xenial)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1743762

Title:
  Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486]

Status in xmltooling package in Ubuntu:
  Triaged
Status in xmltooling source package in Trusty:
  Fix Released
Status in xmltooling source package in Xenial:
  Fix Released
Status in xmltooling source package in Artful:
  Triaged
Status in xmltooling source package in Bionic:
  Triaged

Bug description:
  From the Debian bug report at
  https://www.debian.org/security/2018/dsa-4085:

      Philip Huppert discovered the Shibboleth service provider is
  vulnerable to impersonation attacks and information disclosure due to
  mishandling of DTDs in the XMLTooling XML parsing library. For
  additional details please refer to the upstream advisory at
  https://shibboleth.net/community/advisories/secadv_20180112.txt

      For the oldstable distribution (jessie), this problem has been
  fixed in version 1.5.3-2+deb8u2.

      The stable distribution (stretch) is not affected.

      We recommend that you upgrade your xmltooling packages.

      For the detailed security status of xmltooling please refer to its
  security tracker page at: https://security-
  tracker.debian.org/tracker/xmltooling

  
  This bug is fixed upstream in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1743762/+subscriptions