Replace Existing XMLTooling Library w/ Compiled Version

Question

To remediate an Shibboleth SSO vulnerability (https://shibboleth.net/community/advisories/secadv_20180227.txt) I'm attempting to replace the existing libxmltooling7 library with a newer version (from 1.6.0-4 to 1.6.3).

I've successfully downloaded source, built dependencies, complied and verified the new library is installed in /usr/local...though dkpg -l is still showing the old version:

# Output of dkpg -l | grep xmlt...

pi libxmltooling7:amd64 1.6.0-4switchaai1~trusty1 amd64 C++ XML parsing library with encryption support (runtime) #

Am I missing a symbolic link somewhere?

Gilles Quénot · Accepted Answer · 2018-03-13T13:01:14.413

0

Try this before installing new one :

 dpkg -r --force-depends libxmltooling7

edited Mar 13 '18 at 13:01

answered Mar 13 '18 at 00:40

Gilles Quénot

1,313
10
17

I appreciate the insight. Unfortunately there are dependencies that would prohibit that action... libshibsp-plugins:amd64 depends on libxmltooling7... libshibsp7:amd64 depends on libxmltooling7... shibboleth-sp2-utils depends on libxmltooling7... libsaml9:amd64 depends on libxmltooling7... libapache2-mod-shib2 depends on libxmltooling7... – DMahn Mar 13 '18 at 12:39
Check edited post, added `--force-depends` – Gilles Quénot Mar 13 '18 at 13:01
Thank you Gilles...that allowed me, once I also executed dpkg -P --force-depends libxmltooling7, to remove the 1.6.0 version. Now, even though my install 1.6.4 shows up in /usr/local/share/xml/xmltooling, dpkg -l isn't showing it. Should it? – DMahn Mar 14 '18 at 00:52

Replace Existing XMLTooling Library w/ Compiled Version

1 Answers1