[SECURITY] [DLA 1242-1] xmltooling security update

2018-01-1422:09:31

lists.debian.org

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.3%

JSON

Package : xmltooling
Version : 1.4.2-5+deb7u2
CVE ID : CVE-2018-0486

Philip Huppert discovered the Shibboleth service provider is vulnerable
to impersonation attacks and information disclosure due to mishandling
of DTDs in the XMLTooling XML parsing library. For additional details
please refer to the upstream advisory at

https://shibboleth.net/community/advisories/secadv_20180112.txt

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.2-5+deb7u2.

We recommend that you upgrade your xmltooling packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8allxmltooling-schemas< 1.5.3-2+deb8u2xmltooling-schemas_1.5.3-2+deb8u2_all.deb
Debian8amd64libxmltooling-dev< 1.5.3-2+deb8u2libxmltooling-dev_1.5.3-2+deb8u2_amd64.deb
Debian8mipslibxmltooling6< 1.5.3-2+deb8u2libxmltooling6_1.5.3-2+deb8u2_mips.deb
Debian9mipsellibxmltooling7< 1.6.0-4+deb9u1libxmltooling7_1.6.0-4+deb9u1_mipsel.deb
Debian8ppc64ellibxmltooling6< 1.5.3-2+deb8u2libxmltooling6_1.5.3-2+deb8u2_ppc64el.deb
Debian9i386libxmltooling-dev< 1.6.0-4+deb9u1libxmltooling-dev_1.6.0-4+deb9u1_i386.deb
Debian8ppc64ellibxmltooling-dev< 1.5.3-2+deb8u2libxmltooling-dev_1.5.3-2+deb8u2_ppc64el.deb
Debian8amd64libxmltooling6< 1.5.3-2+deb8u2libxmltooling6_1.5.3-2+deb8u2_amd64.deb
Debian9allxmltooling< 1.6.0-4+deb9u1xmltooling_1.6.0-4+deb9u1_all.deb
Debian8armhflibxmltooling6< 1.5.3-2+deb8u2libxmltooling6_1.5.3-2+deb8u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	xmltooling-schemas	< 1.5.3-2+deb8u2	xmltooling-schemas_1.5.3-2+deb8u2_all.deb
Debian	8	amd64	libxmltooling-dev	< 1.5.3-2+deb8u2	libxmltooling-dev_1.5.3-2+deb8u2_amd64.deb
Debian	8	mips	libxmltooling6	< 1.5.3-2+deb8u2	libxmltooling6_1.5.3-2+deb8u2_mips.deb
Debian	9	mipsel	libxmltooling7	< 1.6.0-4+deb9u1	libxmltooling7_1.6.0-4+deb9u1_mipsel.deb
Debian	8	ppc64el	libxmltooling6	< 1.5.3-2+deb8u2	libxmltooling6_1.5.3-2+deb8u2_ppc64el.deb
Debian	9	i386	libxmltooling-dev	< 1.6.0-4+deb9u1	libxmltooling-dev_1.6.0-4+deb9u1_i386.deb
Debian	8	ppc64el	libxmltooling-dev	< 1.5.3-2+deb8u2	libxmltooling-dev_1.5.3-2+deb8u2_ppc64el.deb
Debian	8	amd64	libxmltooling6	< 1.5.3-2+deb8u2	libxmltooling6_1.5.3-2+deb8u2_amd64.deb
Debian	9	all	xmltooling	< 1.6.0-4+deb9u1	xmltooling_1.6.0-4+deb9u1_all.deb
Debian	8	armhf	libxmltooling6	< 1.5.3-2+deb8u2	libxmltooling6_1.5.3-2+deb8u2_armhf.deb