-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Jun 2023 22:57:00 CEST
Source: xmltooling
Architecture: source
Version: 3.2.0-3+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 1037948
Changes:
 xmltooling (3.2.0-3+deb11u1) bullseye-security; urgency=high
 .
   * [6afa199] New patch: CPPXT-157 - Install blocking URI resolver into
     Santuario.
     Fix a denial of service vulnerability: Parsing of KeyInfo elements can
     cause remote resource access.
     Including certain legal but "malicious in intent" content in the
     KeyInfo element defined by the XML Signature standard will result
     in attempts by the SP's shibd process to dereference untrusted
     URLs.
     While the content of the URL must be supplied within the message
     and does not include any SP internal state or dynamic content,
     there is at minimum a risk of denial of service, and the attack
     could be combined with others to create more serious vulnerabilities
     in the future.
     Thanks to Scott Cantor for the fix. (Closes: #1037948)
Checksums-Sha256: 
 04fc132929de9741b71c9ebf804a645a053cb3575a4f1f8aa886dc0ef638bed6 2571 xmltooling_3.2.0-3+deb11u1.dsc
 97fe34c11a2e10dae3b926ddecf0498561c60d27371cb3d05220505a25ef590f 18656 xmltooling_3.2.0-3+deb11u1.debian.tar.xz
 9e407b3f07f45807176ca0e6d8f00236eeac3dcc4e166baa87100d5ccb9429e4 10625 xmltooling_3.2.0-3+deb11u1_amd64.buildinfo
 635ce0e912d8fbd450103c274237067923efac3e1b3662b4d3040f3ac5eb2e86 608764 xmltooling_3.2.0.orig.tar.bz2
Checksums-Sha1: 
 1ffc1adb469469b42d728ef3209d6fa6483960fc 2571 xmltooling_3.2.0-3+deb11u1.dsc
 33e192bede0347e0dfadbab03b13d347a8bb1311 18656 xmltooling_3.2.0-3+deb11u1.debian.tar.xz
 c7fe02c11bc92c6f081b9286fd1b77d6f838cd2f 10625 xmltooling_3.2.0-3+deb11u1_amd64.buildinfo
 8486dc37703ae527733a17cd35a09ed57f26c2fb 608764 xmltooling_3.2.0.orig.tar.bz2
Files: 
 31000f3b66e7bdf02474e47cbff289dc 2571 libs optional xmltooling_3.2.0-3+deb11u1.dsc
 7bab0039cf333652a696b86c5288c42a 18656 libs optional xmltooling_3.2.0-3+deb11u1.debian.tar.xz
 6bf8a70d0f530fae6744c54695f73145 10625 libs optional xmltooling_3.2.0-3+deb11u1_amd64.buildinfo
 91714fbb372715d874a1c48cac686df8 608764 libs optional xmltooling_3.2.0.orig.tar.bz2

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmSKKbkRHHdmZXJpQGRl
Ymlhbi5vcmcACgkQOsj3Fkd+2yM4qg/+P0oZuHJafA3b4UDrtfvc/oSggfgeQr+O
0dxj9lzFhyG49KBNo7Crn+uHN79MXJl6qpswrE2Y/QgcgNR4AzmrV3WBgVVBWtCf
kHaea8MZr3rU5hAgPgAh/svGeQYPTp0RKnrRrB9vMFyNTqjLsfKUz5XAG1K2PrW+
KNk/w1sOMbDP8/+iMKm6fouq60p+JgI1pmYlklOX005eHqY9xj9mnXUWF/15L5AC
8veGpysA5btVB/F+JSJJBYwt2njyQxR6olqiN17ukAcIZMbL7LTdfm7lWVZ4lMt3
Rm4EOBmXLlIAKJFjw6fFBki8WTyfuc69zDSbOnhnEVjP71VXYUJ8yWoqN6S/hNTt
tXtBXXVW8XAXWquIV9oxMLr7M0CspimG9n7cNOr0pLHFfMZI+pmO4GI033KwqAeC
6izu4yShZbHXaATo1G+FvjpvnxSTitKlgdv6CZD+2Q6pQGA0IcZqlQ9UGqSjJh+7
vAUGqBzzAuacInDTahsrJfwLhxHaqfNh6f9zpPZzWpJn8dtwQFunL8M8puzrzRuv
zxfffHxDM/P9sPpNd9uGOdYl2Es80L6wuqEjeItRTTaR229tnkkTU6u7+VXStYPf
7MSjOCeULQ8xc4zgzBxKipR5iD7AAjNzueO9XTXK0R/2Pulz2hJ1ISaNhRDrE0Th
se+UXHp8TUo=
=33tL
-----END PGP SIGNATURE-----