From owner-svn-ports-branches@freebsd.org  Fri Jul 24 16:23:50 2015
Return-Path: <owner-svn-ports-branches@freebsd.org>
Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72B719A967D;
 Fri, 24 Jul 2015 16:23:50 +0000 (UTC)
 (envelope-from so14k@valentine.liquidneon.com)
Received: from valentine.liquidneon.com (valentine.liquidneon.com
 [216.87.78.132])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "valentine.liquidneon.com",
 Issuer "Gandi Standard SSL CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 54A3515F6;
 Fri, 24 Jul 2015 16:23:50 +0000 (UTC)
 (envelope-from so14k@valentine.liquidneon.com)
Received: by valentine.liquidneon.com (Postfix, from userid 1018)
 id E4F4A8FFDD; Fri, 24 Jul 2015 10:23:12 -0600 (MDT)
Date: Fri, 24 Jul 2015 10:23:12 -0600
From: Brad Davis <brd@FreeBSD.org>
To: Palle Girgensohn <girgen@FreeBSD.org>
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-branches@freebsd.org
Subject: Re: svn commit: r392739 - branches/2015Q2/security/vuxml
Message-ID: <20150724162312.GO94853@valentine.liquidneon.com>
References: <201507231624.t6NGOPAZ039747@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201507231624.t6NGOPAZ039747@repo.freebsd.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: svn-ports-branches@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for all the branches of the ports tree
 <svn-ports-branches.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-branches>, 
 <mailto:svn-ports-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-branches/>
List-Post: <mailto:svn-ports-branches@freebsd.org>
List-Help: <mailto:svn-ports-branches-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-branches>, 
 <mailto:svn-ports-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 16:23:50 -0000

On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote:
> Author: girgen
> Date: Thu Jul 23 16:24:25 2015
> New Revision: 392739
> URL: https://svnweb.freebsd.org/changeset/ports/392739
> 
> Log:
>   Shibboleth SP software crashes on well-formed but invalid XML.
>   
>   The Service Provider software contains a code path with an uncaught
>   exception that can be triggered by an unauthenticated attacker by
>   supplying well-formed but schema-invalid XML in the form of SAML
>   metadata or SAML protocol messages. The result is a crash and so
>   causes a denial of service.
>   
>   You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
>   The easiest way to do so is to update the whole chain including
>   shibboleth-2.5.5 an opensaml2.5.5.
>   
>   URL:    	http://shibboleth.net/community/advisories/secadv_20150721.txt
>   Security:	CVE-2015-2684
>   Approved by:	ports-secteam
> 
> Modified:
>   branches/2015Q2/security/vuxml/vuln.xml

Shouldn't this have gone into HEAD? I thought vuln.xml was only used in
head, not from the branches.


Regards,
Brad Davis