svn commit: r458859 - head/security/vuxml

Palle Girgensohn girgen at FreeBSD.org
Fri Jan 12 17:23:34 UTC 2018 

Author: girgen
Date: Fri Jan 12 17:23:33 2018
New Revision: 458859
URL: https://svnweb.freebsd.org/changeset/ports/458859

Log:
  Document vulnerability of devel/xmltooling
  
  security/shibboleth2-sp depends on the xmltooling port
  
  Security:	CVE-2018-0486

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Jan 12 16:43:42 2018	(r458858)
+++ head/security/vuxml/vuln.xml	Fri Jan 12 17:23:33 2018	(r458859)
@@ -58,6 +58,48 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="3dbe9492-f7b8-11e7-a12d-6cc21735f730">
+   <topic>shibboleth-sp -- vulnerable to forged user attribute data</topic>
+   <affects>
+     <package>
+	<name>xmltooling</name>
+	<range><lt>1.6.3</lt></range>
+     </package>
+   </affects>
+   <description>
+     <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Shibboleth consortium reports:</p>
+	<blockquote cite="https://shibboleth.net/community/advisories/secadv_20180112.txt">
+	  <p>
+	    Shibboleth SP software vulnerable to forged user attribute data
+	  </p>
+	  <p>
+	    The Service Provider software relies on a generic XML parser to
+	    process SAML responses and there are limitations in older versions
+	    of the parser that make it impossible to fully disable Document Type
+	    Definition (DTD) processing.
+	  </p>
+	  <p>
+	    Through addition/manipulation of a DTD, it's possible to make
+	    changes to an XML document that do not break a digital signature but
+	    are mishandled by the SP and its libraries. These manipulations can
+	    alter the user data passed through to applications behind the SP and
+	    result in impersonation attacks and exposure of protected
+	    information.
+	  </p>
+	</blockquote>
+     </body>
+   </description>
+   <references>
+     <url>https://shibboleth.net/community/advisories/secadv_20180112.txt</url>
+     <cvename>CVE-2018-0486</cvename>
+   </references>
+   <dates>
+     <discovery>2018-01-12</discovery>
+     <entry>2018-01-12</entry>
+   </dates>
+  </vuln>
+
   <vuln vid="9c016563-f582-11e7-b33c-6451062f0f7a">
     <topic>Flash Player -- information disclosure</topic>
     <affects>

More information about the svn-ports-all mailing list