svn commit: r392739 - branches/2015Q2/security/vuxml
Mark Felder
feld at feld.me
Fri Jul 24 16:54:07 UTC 2015
On Fri, Jul 24, 2015, at 11:23, Brad Davis wrote:
> On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote:
> > Author: girgen
> > Date: Thu Jul 23 16:24:25 2015
> > New Revision: 392739
> > URL: https://svnweb.freebsd.org/changeset/ports/392739
> >
> > Log:
> > Shibboleth SP software crashes on well-formed but invalid XML.
> >
> > The Service Provider software contains a code path with an uncaught
> > exception that can be triggered by an unauthenticated attacker by
> > supplying well-formed but schema-invalid XML in the form of SAML
> > metadata or SAML protocol messages. The result is a crash and so
> > causes a denial of service.
> >
> > You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
> > The easiest way to do so is to update the whole chain including
> > shibboleth-2.5.5 an opensaml2.5.5.
> >
> > URL: http://shibboleth.net/community/advisories/secadv_20150721.txt
> > Security: CVE-2015-2684
> > Approved by: ports-secteam
> >
> > Modified:
> > branches/2015Q2/security/vuxml/vuln.xml
>
> Shouldn't this have gone into HEAD? I thought vuln.xml was only used in
> head, not from the branches.
>
And not even the current branch... That's weird.
Can we get old branches locked down a bit further?
More information about the svn-ports-all
mailing list