svn commit: r392739 - branches/2015Q2/security/vuxml
Brad Davis
brd at FreeBSD.org
Fri Jul 24 16:23:50 UTC 2015
On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote:
> Author: girgen
> Date: Thu Jul 23 16:24:25 2015
> New Revision: 392739
> URL: https://svnweb.freebsd.org/changeset/ports/392739
>
> Log:
> Shibboleth SP software crashes on well-formed but invalid XML.
>
> The Service Provider software contains a code path with an uncaught
> exception that can be triggered by an unauthenticated attacker by
> supplying well-formed but schema-invalid XML in the form of SAML
> metadata or SAML protocol messages. The result is a crash and so
> causes a denial of service.
>
> You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
> The easiest way to do so is to update the whole chain including
> shibboleth-2.5.5 an opensaml2.5.5.
>
> URL: http://shibboleth.net/community/advisories/secadv_20150721.txt
> Security: CVE-2015-2684
> Approved by: ports-secteam
>
> Modified:
> branches/2015Q2/security/vuxml/vuln.xml
Shouldn't this have gone into HEAD? I thought vuln.xml was only used in
head, not from the branches.
Regards,
Brad Davis
More information about the svn-ports-all
mailing list