svn commit: r392739 - branches/2015Q2/security/vuxml
Mark Felder
feld at feld.me
Fri Jul 24 23:16:37 UTC 2015
On Fri, Jul 24, 2015, at 16:38, Palle Girgensohn wrote:
>
> > 24 jul 2015 kl. 18:54 skrev Mark Felder <feld at feld.me>:
> >
> >
> >
> > On Fri, Jul 24, 2015, at 11:23, Brad Davis wrote:
> >> On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote:
> >>> Author: girgen
> >>> Date: Thu Jul 23 16:24:25 2015
> >>> New Revision: 392739
> >>> URL: https://svnweb.freebsd.org/changeset/ports/392739
> >>>
> >>> Log:
> >>> Shibboleth SP software crashes on well-formed but invalid XML.
> >>>
> >>> The Service Provider software contains a code path with an uncaught
> >>> exception that can be triggered by an unauthenticated attacker by
> >>> supplying well-formed but schema-invalid XML in the form of SAML
> >>> metadata or SAML protocol messages. The result is a crash and so
> >>> causes a denial of service.
> >>>
> >>> You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
> >>> The easiest way to do so is to update the whole chain including
> >>> shibboleth-2.5.5 an opensaml2.5.5.
> >>>
> >>> URL: http://shibboleth.net/community/advisories/secadv_20150721.txt
> >>> Security: CVE-2015-2684
> >>> Approved by: ports-secteam
> >>>
> >>> Modified:
> >>> branches/2015Q2/security/vuxml/vuln.xml
> >>
> >> Shouldn't this have gone into HEAD? I thought vuln.xml was only used in
> >> head, not from the branches.
> >>
> >
> > And not even the current branch... That's weird.
> >
> > Can we get old branches locked down a bit further?
>
> Umm, sorry, my mistake, I had the 2015Q2 branch checked out, and just
> entierly missed it. I will merge to HEAD as I write... :-/
>
That's OK, things happen. I already copied your entry to HEAD.
More information about the svn-ports-branches
mailing list