Debian has issued an advisory on July 30: https://www.debian.org/security/2015/dsa-3321 Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Blocks: (none) => 16690
Blocks: 16690 => (none)
The Debian bug has a link to the upstream commit to fix this. They also have a link to the upstream advisory, which notes that opensaml needs to be rebuilt against the updated xmltooling. These are used by shibboleth-sp, which we recently updated for a different issue, and were unable to really test. Just make sure these packages update OK. Advisory: ======================== Updated xmltooling and opensaml packages fix security vulnerability: The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. This could allow remote attackers to cause a denial of service (crash) via crafted XML data (CVE-2015-0851). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0851 http://shibboleth.net/community/advisories/secadv_20150721.txt https://www.debian.org/security/2015/dsa-3321 ======================== Updated packages in core/updates_testing: ======================== libxmltooling6-1.5.3-3.1.mga4 libxmltooling-devel-1.5.3-3.1.mga4 xmltooling-schemas-1.5.3-3.1.mga4 opensaml-bin-2.5.2-4.1.mga4 libopensaml8-2.5.2-4.1.mga4 libopensaml-devel-2.5.2-4.1.mga4 opensaml-schemas-2.5.2-4.1.mga4 libxmltooling6-1.5.3-5.1.mga5 libxmltooling-devel-1.5.3-5.1.mga5 xmltooling-schemas-1.5.3-5.1.mga5 opensaml-bin-2.5.2-6.1.mga5 libopensaml8-2.5.2-6.1.mga5 libopensaml-devel-2.5.2-6.1.mga5 opensaml-schemas-2.5.2-6.1.mga5 from SRPMS: xmltooling-1.5.3-3.1.mga4.src.rpm opensaml-2.5.2-4.1.mga4.src.rpm xmltooling-1.5.3-5.1.mga5.src.rpm opensaml-2.5.2-6.1.mga5.src.rpm
CC: (none) => guillomovitchVersion: Cauldron => 5Assignee: guillomovitch => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure
I'm going to test this - stay tuned.
CC: (none) => shlomif
Marking as MGA5-64-OK MGA4-32-OK .
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK
Marking as MGA5-32-OK .
Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK
Tested everywhere. Validating.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0350.html
Status: NEW => RESOLVEDResolution: (none) => FIXED