attritionorg
commented
6 years ago ping @robrichards
Closed attritionorg closed 6 years ago
attritionorg
commented
6 years ago ping @robrichards
thijskh
commented
6 years ago As stated in that advisory, the fix was to better check the return values of XmlSecLibs’ methods.
It has been argued that the XmlSecLibs api should be more robist against this mistake, but that requires a significant rewrite.
attritionorg
commented
6 years ago Right, but the 'fix' sounds like it was implemented within SimpleSAMLphp, and not in XMLsecLibs itself. That is what I am trying to verify, if any fixes were pushed within XMLsecLibs, or as you say, it requires a significant effort and for now, those using the library should work around it.
robrichards
commented
6 years ago The fix was made in SimpleSAMLphp but I am making a release with the change back ported to here as well
adityawebi-zz
commented
6 years ago Hi Robrichards, Can you please confirm in which branch this release is available? Since 2.0 branch seems latest but cant see this patch/commit in there.
robrichards
commented
6 years ago I will resolve this before end of week. Been hesitant to release as there is a slight possibility of breaking BC and breaking spec compliance which I am trying to avoid.
robrichards
commented
6 years ago Final changes pushed with 3.0.2
Per https://simplesamlphp.org/security/201802-01 advisory, appears XMLsecLibs is impacted. They say other vendors were contacted but not if upstream was. Sharing it here in case you were not in the loop.