svn commit: r321194 - in head: devel/xmltooling security/apache-xml-security-c security/opensaml2 security/shibboleth2-sp security/vuxml

Palle Girgensohn girgen at FreeBSD.org
Tue Jun 18 15:15:50 UTC 2013 

Author: girgen
Date: Tue Jun 18 15:15:48 2013
New Revision: 321194
URL: http://svnweb.freebsd.org/changeset/ports/321194

Log:
  Security update for apache-xml-security-c.
  Dependant ports, especially shibboleth2-sp, opensaml2, xmltooling
  and log4shib should all be updated.
  
  Security: CVE-2013-2156

Modified:
  head/devel/xmltooling/Makefile
  head/devel/xmltooling/distinfo
  head/security/apache-xml-security-c/Makefile
  head/security/apache-xml-security-c/distinfo
  head/security/opensaml2/Makefile
  head/security/opensaml2/distinfo
  head/security/shibboleth2-sp/Makefile
  head/security/shibboleth2-sp/distinfo
  head/security/vuxml/vuln.xml

Modified: head/devel/xmltooling/Makefile
==============================================================================
--- head/devel/xmltooling/Makefile	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/devel/xmltooling/Makefile	Tue Jun 18 15:15:48 2013	(r321194)
@@ -2,9 +2,9 @@
 # $FreeBSD$
 
 PORTNAME=	xmltooling
-PORTVERSION=	1.5.2
+PORTVERSION=	1.5.3
 CATEGORIES=	devel security
-MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/2.5.2/
+MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/2.5.3/
 
 MAINTAINER=	girgen at FreeBSD.org
 COMMENT=	Low level XML support for SAML

Modified: head/devel/xmltooling/distinfo
==============================================================================
--- head/devel/xmltooling/distinfo	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/devel/xmltooling/distinfo	Tue Jun 18 15:15:48 2013	(r321194)
@@ -1,2 +1,2 @@
-SHA256 (xmltooling-1.5.2.tar.gz) = d43719f8d742d87131ea64f2dbc8f1b366c7f216ac21015090a51693ff11df98
-SIZE (xmltooling-1.5.2.tar.gz) = 679098
+SHA256 (xmltooling-1.5.3.tar.gz) = 90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574
+SIZE (xmltooling-1.5.3.tar.gz) = 675350

Modified: head/security/apache-xml-security-c/Makefile
==============================================================================
--- head/security/apache-xml-security-c/Makefile	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/apache-xml-security-c/Makefile	Tue Jun 18 15:15:48 2013	(r321194)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	xml-security-c
-PORTVERSION=	1.7.0
+PORTVERSION=	1.7.1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_APACHE}
 MASTER_SITE_SUBDIR=santuario/c-library

Modified: head/security/apache-xml-security-c/distinfo
==============================================================================
--- head/security/apache-xml-security-c/distinfo	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/apache-xml-security-c/distinfo	Tue Jun 18 15:15:48 2013	(r321194)
@@ -1,2 +1,2 @@
-SHA256 (xml-security-c-1.7.0.tar.gz) = c8cd6ec3d3b777fcca295cb4b273b08e4cfe37e03fc27131ec079894b9dae87c
-SIZE (xml-security-c-1.7.0.tar.gz) = 874025
+SHA256 (xml-security-c-1.7.1.tar.gz) = 3d306660702d620b30605627f970b90667ed967211a8fc26b3243e6d3abeb32e
+SIZE (xml-security-c-1.7.1.tar.gz) = 875367

Modified: head/security/opensaml2/Makefile
==============================================================================
--- head/security/opensaml2/Makefile	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/opensaml2/Makefile	Tue Jun 18 15:15:48 2013	(r321194)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	opensaml2
-PORTVERSION=	2.5.2
+PORTVERSION=	2.5.3
 CATEGORIES=	security
 MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/
 DISTNAME=	opensaml-${PORTVERSION}

Modified: head/security/opensaml2/distinfo
==============================================================================
--- head/security/opensaml2/distinfo	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/opensaml2/distinfo	Tue Jun 18 15:15:48 2013	(r321194)
@@ -1,2 +1,2 @@
-SHA256 (opensaml-2.5.2.tar.gz) = 5bc3fbe5e789ad7aedfc2919413131400290466ecd2b77b1c3f3dc4c37e6fe54
-SIZE (opensaml-2.5.2.tar.gz) = 707139
+SHA256 (opensaml-2.5.3.tar.gz) = 1ed6a241b2021def6a1af57d3087b697c98b38842e9195e1f3fae194d55c13fb
+SIZE (opensaml-2.5.3.tar.gz) = 703021

Modified: head/security/shibboleth2-sp/Makefile
==============================================================================
--- head/security/shibboleth2-sp/Makefile	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/shibboleth2-sp/Makefile	Tue Jun 18 15:15:48 2013	(r321194)
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	shibboleth-sp
-PORTVERSION=	2.5.1
-PORTREVISION=	1
+PORTVERSION=	2.5.2
 CATEGORIES=	security www
 MASTER_SITES=	http://shibboleth.net/downloads/service-provider/${PORTVERSION}/
 

Modified: head/security/shibboleth2-sp/distinfo
==============================================================================
--- head/security/shibboleth2-sp/distinfo	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/shibboleth2-sp/distinfo	Tue Jun 18 15:15:48 2013	(r321194)
@@ -1,2 +1,2 @@
-SHA256 (shibboleth-sp-2.5.1.tar.gz) = a697034fe56a170602a3907cde6faf822836b1ba23cdc11af315a81df6102f04
-SIZE (shibboleth-sp-2.5.1.tar.gz) = 952815
+SHA256 (shibboleth-sp-2.5.2.tar.gz) = 1d5c42ea6a6cf5f1ed39101af52a2df2cf7e5e6c086e1081bdf1275f970ba1d5
+SIZE (shibboleth-sp-2.5.2.tar.gz) = 949163

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Jun 18 15:12:06 2013	(r321193)
+++ head/security/vuxml/vuln.xml	Tue Jun 18 15:15:48 2013	(r321194)
@@ -51,6 +51,36 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="279e5f4b-d823-11e2-928e-08002798f6ff">
+    <topic>apache-xml-security-c -- heap overflow</topic>
+    <affects>
+      <package>
+	<name>apache-xml-security-c</name>
+	<range><lt>1.7.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Apache Software Foundation reports:</p>
+	<blockquote cite="http://santuario.apache.org/secadv.data/CVE-2013-2156.txt">
+	  <p>A heap overflow exists in the processing of the PrefixList
+	  attribute optionally used in conjunction with Exclusive
+	  Canonicalization, potentially allowing arbitary code execution.
+	  If verification of the signature occurs prior to actual evaluation of a
+	  signing key, this could be exploited by an unauthenticated attacker.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-2156</cvename>
+      <url>http://santuario.apache.org/secadv.data/CVE-2013-2156.txt</url>
+    </references>
+    <dates>
+      <discovery>2013-06-18</discovery>
+      <entry>2013-06-18</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="80af2677-d6c0-11e2-8f5e-001966155bea">
     <topic>tor -- guard discovery</topic>
     <affects>

More information about the svn-ports-all mailing list