svn commit: r459437 - head/security/vuxml
Palle Girgensohn
girgen at FreeBSD.org
Fri Jan 19 16:43:37 UTC 2018
Author: girgen
Date: Fri Jan 19 16:43:35 2018
New Revision: 459437
URL: https://svnweb.freebsd.org/changeset/ports/459437
Log:
Add more information about the recents security notice for shibboleth2-sp
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Jan 19 16:32:25 2018 (r459436)
+++ head/security/vuxml/vuln.xml Fri Jan 19 16:43:35 2018 (r459437)
@@ -338,6 +338,10 @@ Notes:
<name>xmltooling</name>
<range><lt>1.6.3</lt></range>
</package>
+ <package>
+ <name>xerces-c3</name>
+ <range><lt>3.1.4</lt></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -359,6 +363,14 @@ Notes:
alter the user data passed through to applications behind the SP and
result in impersonation attacks and exposure of protected
information.
+ </p>
+ <p>
+ While newer versions of the xerces-c3 parser are configured by the
+ SP into disallowing the use of a DTD via an environment variable,
+ this feature is not present in the xerces-c3 parser before version
+ 3.1.4, so an additional fix is being provided now that an actual DTD
+ exploit has been identified. Xerces-c3-3.1.4 was committed to the
+ ports tree already on 2016-07-26.
</p>
</blockquote>
</body>
More information about the svn-ports-head
mailing list