svn commit: r392739 - branches/2015Q2/security/vuxml
Palle Girgensohn
girgen at FreeBSD.org
Fri Jul 24 21:38:59 UTC 2015
> 24 jul 2015 kl. 18:54 skrev Mark Felder <feld at feld.me>:
>
>
>
> On Fri, Jul 24, 2015, at 11:23, Brad Davis wrote:
>> On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote:
>>> Author: girgen
>>> Date: Thu Jul 23 16:24:25 2015
>>> New Revision: 392739
>>> URL: https://svnweb.freebsd.org/changeset/ports/392739
>>>
>>> Log:
>>> Shibboleth SP software crashes on well-formed but invalid XML.
>>>
>>> The Service Provider software contains a code path with an uncaught
>>> exception that can be triggered by an unauthenticated attacker by
>>> supplying well-formed but schema-invalid XML in the form of SAML
>>> metadata or SAML protocol messages. The result is a crash and so
>>> causes a denial of service.
>>>
>>> You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
>>> The easiest way to do so is to update the whole chain including
>>> shibboleth-2.5.5 an opensaml2.5.5.
>>>
>>> URL: http://shibboleth.net/community/advisories/secadv_20150721.txt
>>> Security: CVE-2015-2684
>>> Approved by: ports-secteam
>>>
>>> Modified:
>>> branches/2015Q2/security/vuxml/vuln.xml
>>
>> Shouldn't this have gone into HEAD? I thought vuln.xml was only used in
>> head, not from the branches.
>>
>
> And not even the current branch... That's weird.
>
> Can we get old branches locked down a bit further?
Umm, sorry, my mistake, I had the 2015Q2 branch checked out, and just entierly missed it. I will merge to HEAD as I write... :-/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/svn-ports-branches/attachments/20150724/f53278c3/attachment.bin>
More information about the svn-ports-branches
mailing list