-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 14 Jun 2023 22:44:03 +0200 Source: xmltooling Binary: libxmltooling-dev libxmltooling10 libxmltooling10-dbgsym Architecture: i386 Version: 3.2.0-3+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Ferenc Wágner Description: libxmltooling-dev - C++ XML parsing library with encryption support (development) libxmltooling10 - C++ XML parsing library with encryption support (runtime) Closes: 1037948 Changes: xmltooling (3.2.0-3+deb11u1) bullseye-security; urgency=high . * [6afa199] New patch: CPPXT-157 - Install blocking URI resolver into Santuario. Fix a denial of service vulnerability: Parsing of KeyInfo elements can cause remote resource access. Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. Thanks to Scott Cantor for the fix. (Closes: #1037948) Checksums-Sha1: 94f27286c00a8cc4a4faf6abf7b7ea1e059d588b 79896 libxmltooling-dev_3.2.0-3+deb11u1_i386.deb 46669df7c3a3bbef8985c30e5a6dcea9b06c7c3e 7420564 libxmltooling10-dbgsym_3.2.0-3+deb11u1_i386.deb ab4cc6d9626827078ba1d7c0cb2ed2410d5b3c33 649588 libxmltooling10_3.2.0-3+deb11u1_i386.deb 2d9c9bc13b071034ec4bb9d5748a4227edabf8f6 7962 xmltooling_3.2.0-3+deb11u1_i386-buildd.buildinfo Checksums-Sha256: 2fc3d81ed5e7e7dbd73cad285fdce646927687250b23dfb68a1137e4ba0ada88 79896 libxmltooling-dev_3.2.0-3+deb11u1_i386.deb 51b36f70fafac53acee5e793dd18b0d551d3d17753a090815924e982561ef780 7420564 libxmltooling10-dbgsym_3.2.0-3+deb11u1_i386.deb ca039942aa12021f927ca1ae5fb12ba81e37222c0f0ddb60e4eaeae84a1c92a2 649588 libxmltooling10_3.2.0-3+deb11u1_i386.deb 3dc5512f6d7a506f623e561c2e9109b73cd095946ba6003b5bb5b4e72b162751 7962 xmltooling_3.2.0-3+deb11u1_i386-buildd.buildinfo Files: 0edca76ee1627fe66651dc5a6b787a16 79896 libdevel optional libxmltooling-dev_3.2.0-3+deb11u1_i386.deb 43706dc2555bc80747c5b42dc8fdecc9 7420564 debug optional libxmltooling10-dbgsym_3.2.0-3+deb11u1_i386.deb 79b45d1ac1fcbb3d664873046fe5bdf7 649588 libs optional libxmltooling10_3.2.0-3+deb11u1_i386.deb 934ab15debb91e2978701eea87955917 7962 libs optional xmltooling_3.2.0-3+deb11u1_i386-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEJyRdn7p9tGRfxctAots23/koc0EFAmSKMPMACgkQots23/ko c0G96g/9E2QacrzvgGJJV8+amAYuNVyYETWQySwGrPXarAUcsxU7JG+IE9t+iZEs kdViiG6j6f5aGRcKJC/4Tdj8eZ2lQT+JQJPq2m/5v7zqwvWGKJlQSi/rdKNu+ScF fby8RuLQWwNw64UBkjoez+F7rRcYdnl98z/+Aukxk24cXCm8lW5LLXuHHhGQYAck xdN5XSelNyIP9vRNH9EkapCpa+qUUHtUjU/CEngh5Tl2eWtCFuY/nfVFQyN7BUA/ myb2HGwehdJkcpbdn6InpFZWnU7KMouVqzTSuR2j25mlVEjvQMqiH0cHmxUpo7pp gIOuCYNcDeNtgR3S2xMz7ILP018DmBjZNAcmqf6/dqwuU5zTcasGnslHdBnnqxCq zVxqyYbHQlz4WASXyWeyu945Pi6tlmDQJU9VosHiJkcesvjwr3IHtYDeOWR0S8Nh 3+CC52BWYMzQ2lajxeriSvu33TePoRvnTjYVR6yXtYCoPYS0U9hYJkbnyMwx+Msv Nl0JmXqKv5O9jW6+BbyLArUPUSDzeTLlMXRz017JwBfPUiPDeIgqDxccXOcGjpAl 0kXzlyiu96C12/Sl+YdqY1GNae1QRQfP8nUzsIHMs8EENNk+l82ESE+1Aj252+sn L8wNLlkQnMDNfLg3ef6XlZnkto/yUZ5++aEcMG8UkjccrTJwo1Y= =9oZJ -----END PGP SIGNATURE-----