Date: Fri, 24 Jul 2015 18:16:34 -0500 From: Mark Felder <feld@feld.me> To: Palle Girgensohn <girgen@FreeBSD.org> Cc: Brad Davis <brd@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: Re: svn commit: r392739 - branches/2015Q2/security/vuxml Message-ID: <1437779794.2853329.332590825.1F60B83A@webmail.messagingengine.com> In-Reply-To: <9A468FE8-4FB1-4781-B21E-D16444233D80@FreeBSD.org> References: <201507231624.t6NGOPAZ039747@repo.freebsd.org> <20150724162312.GO94853@valentine.liquidneon.com> <1437756844.2148972.332341833.7702303E@webmail.messagingengine.com> <9A468FE8-4FB1-4781-B21E-D16444233D80@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 24, 2015, at 16:38, Palle Girgensohn wrote: > > > 24 jul 2015 kl. 18:54 skrev Mark Felder <feld@feld.me>: > > > > > > > > On Fri, Jul 24, 2015, at 11:23, Brad Davis wrote: > >> On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote: > >>> Author: girgen > >>> Date: Thu Jul 23 16:24:25 2015 > >>> New Revision: 392739 > >>> URL: https://svnweb.freebsd.org/changeset/ports/392739 > >>> > >>> Log: > >>> Shibboleth SP software crashes on well-formed but invalid XML. > >>> > >>> The Service Provider software contains a code path with an uncaught > >>> exception that can be triggered by an unauthenticated attacker by > >>> supplying well-formed but schema-invalid XML in the form of SAML > >>> metadata or SAML protocol messages. The result is a crash and so > >>> causes a denial of service. > >>> > >>> You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. > >>> The easiest way to do so is to update the whole chain including > >>> shibboleth-2.5.5 an opensaml2.5.5. > >>> > >>> URL: http://shibboleth.net/community/advisories/secadv_20150721.txt > >>> Security: CVE-2015-2684 > >>> Approved by: ports-secteam > >>> > >>> Modified: > >>> branches/2015Q2/security/vuxml/vuln.xml > >> > >> Shouldn't this have gone into HEAD? I thought vuln.xml was only used in > >> head, not from the branches. > >> > > > > And not even the current branch... That's weird. > > > > Can we get old branches locked down a bit further? > > Umm, sorry, my mistake, I had the 2015Q2 branch checked out, and just > entierly missed it. I will merge to HEAD as I write... :-/ > That's OK, things happen. I already copied your entry to HEAD.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1437779794.2853329.332590825.1F60B83A>