svn commit: r487884 - head/security/vuxml
Palle Girgensohn
girgen at FreeBSD.org
Thu Dec 20 14:50:08 UTC 2018
Author: girgen
Date: Thu Dec 20 14:50:07 2018
New Revision: 487884
URL: https://svnweb.freebsd.org/changeset/ports/487884
Log:
Add vuxml entry for shibboleth-sp
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Dec 20 14:19:33 2018 (r487883)
+++ head/security/vuxml/vuln.xml Thu Dec 20 14:50:07 2018 (r487884)
@@ -58,6 +58,39 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="4f8665d0-0465-11e9-b77a-6cc21735f730">
+ <topic>shibboleth-sp -- crashes on malformed date/time content</topic>
+ <affects>
+ <package>
+ <name>shibboleth-sp</name>
+ <range><ge>3.0.0</ge><lt>3.0.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Shibboleth Consortium reports:</p>
+ <blockquote cite="https://shibboleth.net/community/advisories/secadv_20181219a.txt">
+ <p>SAML messages, assertions, and metadata all commonly contain
+ date/time information in a standard XML format.</p>
+ <p>Invalid formatted data in such fields cause an exception of a type
+ that was not handled properly in the V3 software and causes a crash
+ (usually to the shibd daemon process, but possibly to Apache in rare
+ cases). Note that the crash occurs prior to evaluation of a message's
+ authenticity, so can be exploited by an untrusted attacker.</p>
+ <p>The problem is believed to be specific to the V3 software and would
+ not cause a crash in the older, now unsupported, V2 software.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://shibboleth.net/community/advisories/secadv_20181219a.txt</url>
+ </references>
+ <dates>
+ <discovery>2018-12-19</discovery>
+ <entry>2018-12-20</entry>
+ </dates>
+ </vuln>
+
<vuln vid="1999a215-fc6b-11e8-8a95-ac1f6b67e138">
<topic>couchdb -- administrator privilege escalation</topic>
<affects>
More information about the svn-ports-all
mailing list