| Name | CVE-2019-9628 |
| Description | The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1710-1, DSA-4407-1, ELA-92-1 |
| Debian Bugs | 924346 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| xmltooling (PTS) | jessie, jessie (lts) | 1.5.3-2+deb8u5 | fixed |
| stretch (security), stretch (lts), stretch | 1.6.0-4+deb9u2 | fixed | |
| buster (security), buster, buster (lts) | 3.0.4-1+deb10u2 | fixed | |
| bullseye (security), bullseye | 3.2.0-3+deb11u1 | fixed | |
| bookworm (security), bookworm | 3.2.3-1+deb12u1 | fixed | |
| sid, trixie | 3.2.4-2.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| xmltooling | source | wheezy | 1.4.2-5+deb7u4 | ELA-92-1 | ||
| xmltooling | source | jessie | 1.5.3-2+deb8u4 | DLA-1710-1 | ||
| xmltooling | source | stretch | 1.6.0-4+deb9u2 | DSA-4407-1 | ||
| xmltooling | source | (unstable) | 3.0.4-1 | 924346 |
https://shibboleth.net/community/advisories/secadv_20190311.txt
https://issues.shibboleth.net/jira/browse/CPPXT-143
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5