svn commit: r321194 - in head: devel/xmltooling security/apache-xml-security-c security/opensaml2 security/shibboleth2-sp security/vuxml
Palle Girgensohn
girgen at FreeBSD.org
Tue Jun 18 15:15:50 UTC 2013
Author: girgen
Date: Tue Jun 18 15:15:48 2013
New Revision: 321194
URL: http://svnweb.freebsd.org/changeset/ports/321194
Log:
Security update for apache-xml-security-c.
Dependant ports, especially shibboleth2-sp, opensaml2, xmltooling
and log4shib should all be updated.
Security: CVE-2013-2156
Modified:
head/devel/xmltooling/Makefile
head/devel/xmltooling/distinfo
head/security/apache-xml-security-c/Makefile
head/security/apache-xml-security-c/distinfo
head/security/opensaml2/Makefile
head/security/opensaml2/distinfo
head/security/shibboleth2-sp/Makefile
head/security/shibboleth2-sp/distinfo
head/security/vuxml/vuln.xml
Modified: head/devel/xmltooling/Makefile
==============================================================================
--- head/devel/xmltooling/Makefile Tue Jun 18 15:12:06 2013 (r321193)
+++ head/devel/xmltooling/Makefile Tue Jun 18 15:15:48 2013 (r321194)
@@ -2,9 +2,9 @@
# $FreeBSD$
PORTNAME= xmltooling
-PORTVERSION= 1.5.2
+PORTVERSION= 1.5.3
CATEGORIES= devel security
-MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/2.5.2/
+MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/2.5.3/
MAINTAINER= girgen at FreeBSD.org
COMMENT= Low level XML support for SAML
Modified: head/devel/xmltooling/distinfo
==============================================================================
--- head/devel/xmltooling/distinfo Tue Jun 18 15:12:06 2013 (r321193)
+++ head/devel/xmltooling/distinfo Tue Jun 18 15:15:48 2013 (r321194)
@@ -1,2 +1,2 @@
-SHA256 (xmltooling-1.5.2.tar.gz) = d43719f8d742d87131ea64f2dbc8f1b366c7f216ac21015090a51693ff11df98
-SIZE (xmltooling-1.5.2.tar.gz) = 679098
+SHA256 (xmltooling-1.5.3.tar.gz) = 90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574
+SIZE (xmltooling-1.5.3.tar.gz) = 675350
Modified: head/security/apache-xml-security-c/Makefile
==============================================================================
--- head/security/apache-xml-security-c/Makefile Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/apache-xml-security-c/Makefile Tue Jun 18 15:15:48 2013 (r321194)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= xml-security-c
-PORTVERSION= 1.7.0
+PORTVERSION= 1.7.1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_APACHE}
MASTER_SITE_SUBDIR=santuario/c-library
Modified: head/security/apache-xml-security-c/distinfo
==============================================================================
--- head/security/apache-xml-security-c/distinfo Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/apache-xml-security-c/distinfo Tue Jun 18 15:15:48 2013 (r321194)
@@ -1,2 +1,2 @@
-SHA256 (xml-security-c-1.7.0.tar.gz) = c8cd6ec3d3b777fcca295cb4b273b08e4cfe37e03fc27131ec079894b9dae87c
-SIZE (xml-security-c-1.7.0.tar.gz) = 874025
+SHA256 (xml-security-c-1.7.1.tar.gz) = 3d306660702d620b30605627f970b90667ed967211a8fc26b3243e6d3abeb32e
+SIZE (xml-security-c-1.7.1.tar.gz) = 875367
Modified: head/security/opensaml2/Makefile
==============================================================================
--- head/security/opensaml2/Makefile Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/opensaml2/Makefile Tue Jun 18 15:15:48 2013 (r321194)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= opensaml2
-PORTVERSION= 2.5.2
+PORTVERSION= 2.5.3
CATEGORIES= security
MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/
DISTNAME= opensaml-${PORTVERSION}
Modified: head/security/opensaml2/distinfo
==============================================================================
--- head/security/opensaml2/distinfo Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/opensaml2/distinfo Tue Jun 18 15:15:48 2013 (r321194)
@@ -1,2 +1,2 @@
-SHA256 (opensaml-2.5.2.tar.gz) = 5bc3fbe5e789ad7aedfc2919413131400290466ecd2b77b1c3f3dc4c37e6fe54
-SIZE (opensaml-2.5.2.tar.gz) = 707139
+SHA256 (opensaml-2.5.3.tar.gz) = 1ed6a241b2021def6a1af57d3087b697c98b38842e9195e1f3fae194d55c13fb
+SIZE (opensaml-2.5.3.tar.gz) = 703021
Modified: head/security/shibboleth2-sp/Makefile
==============================================================================
--- head/security/shibboleth2-sp/Makefile Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/shibboleth2-sp/Makefile Tue Jun 18 15:15:48 2013 (r321194)
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= shibboleth-sp
-PORTVERSION= 2.5.1
-PORTREVISION= 1
+PORTVERSION= 2.5.2
CATEGORIES= security www
MASTER_SITES= http://shibboleth.net/downloads/service-provider/${PORTVERSION}/
Modified: head/security/shibboleth2-sp/distinfo
==============================================================================
--- head/security/shibboleth2-sp/distinfo Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/shibboleth2-sp/distinfo Tue Jun 18 15:15:48 2013 (r321194)
@@ -1,2 +1,2 @@
-SHA256 (shibboleth-sp-2.5.1.tar.gz) = a697034fe56a170602a3907cde6faf822836b1ba23cdc11af315a81df6102f04
-SIZE (shibboleth-sp-2.5.1.tar.gz) = 952815
+SHA256 (shibboleth-sp-2.5.2.tar.gz) = 1d5c42ea6a6cf5f1ed39101af52a2df2cf7e5e6c086e1081bdf1275f970ba1d5
+SIZE (shibboleth-sp-2.5.2.tar.gz) = 949163
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jun 18 15:12:06 2013 (r321193)
+++ head/security/vuxml/vuln.xml Tue Jun 18 15:15:48 2013 (r321194)
@@ -51,6 +51,36 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="279e5f4b-d823-11e2-928e-08002798f6ff">
+ <topic>apache-xml-security-c -- heap overflow</topic>
+ <affects>
+ <package>
+ <name>apache-xml-security-c</name>
+ <range><lt>1.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache Software Foundation reports:</p>
+ <blockquote cite="http://santuario.apache.org/secadv.data/CVE-2013-2156.txt">
+ <p>A heap overflow exists in the processing of the PrefixList
+ attribute optionally used in conjunction with Exclusive
+ Canonicalization, potentially allowing arbitary code execution.
+ If verification of the signature occurs prior to actual evaluation of a
+ signing key, this could be exploited by an unauthenticated attacker.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-2156</cvename>
+ <url>http://santuario.apache.org/secadv.data/CVE-2013-2156.txt</url>
+ </references>
+ <dates>
+ <discovery>2013-06-18</discovery>
+ <entry>2013-06-18</entry>
+ </dates>
+ </vuln>
+
<vuln vid="80af2677-d6c0-11e2-8f5e-001966155bea">
<topic>tor -- guard discovery</topic>
<affects>
More information about the svn-ports-all
mailing list