Ubuntu
shibboleth-sp2 package

Security bug in xml-security-c may require rebuilding of this package

Bug #807416 reported by John Cooper
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
shibboleth-sp2 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

There is a security vulnerability in the xml-security-c library that may require this module to be rebuilt once that has been patched.

More info at:

http://shibboleth.internet2.edu/secadv/secadv_20110706.txt

I have logged the xml library bug already and will link to it.

CVE References

Revision history for this message
John Cooper (choffee) wrote :

This links to the Bug #807414 in the xml-security-c package.

visibility: private → public
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Launchpad Janitor (janitor)
Changed in shibboleth-sp2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Joshua Daniel Franklin (joshuadfranklin) wrote :

I'd love to see this security update synced from debian.

Revision history for this message
Aaron J. Zirbes (ajz) wrote :

RE: sbeattie,

If this is a bug to to an upstream linked library, only a re-compile and re-package once
libxml-security-c15 1.5.1-3+squeeze1build0.10.04.1 is installed is required?

Right? No need for a debdiff?

Revision history for this message
Russ Allbery (rra-debian) wrote :

No update or recompile of the shibboleth-sp2 package is required for either the xml-security-c or the opensaml2 security advisories so far as I know. Only upgrading the libraries to patched versions and then restarting shibd and Apache is required, I think. The changes didn't affect the external API of the libraries, only the internal shared library code.

Revision history for this message
Russ Allbery (rra-debian) wrote :

Marking invalid since, as noted, no recompilation should be required after the affected library package was upgraded.

Changed in shibboleth-sp2 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.