: VCS matches the version in the archive
- Git: https://salsa.debian.org/shib-team/shibboleth-sp2.git
- Branch: debian/master
- Path: debian/changelog
- Browser: https://salsa.debian.org/shib-team/shibboleth-sp2
- Last scan: 2021-09-20 12:29:29+00
- Next scan: 2021-09-29 08:42:00+00
- CI pipeline status: failed
- Debian changelog in Git:
shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high
* [e44283d] New upstream release: 3.2.2
High urgency because it fixes CVE-2021-31826:
Session recovery feature contains a null pointer dereference
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Thanks to Scott Cantor (Closes: #987608)
* [3a6ac33] Refresh our patches
-- Ferenc Wágner <email@example.com> Tue, 27 Apr 2021 12:11:06 +0200
- This branch is even with tag debian/3.2.2+dfsg1-1