Date: Fri, 24 Jul 2015 16:58:17 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392829 - head/security/vuxml Message-ID: <201507241658.t6OGwHer000780@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Fri Jul 24 16:58:16 2015 New Revision: 392829 URL: https://svnweb.freebsd.org/changeset/ports/392829 Log: Document shibboleth DoS Security: CVE-2015-2684 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jul 24 15:27:14 2015 (r392828) +++ head/security/vuxml/vuln.xml Fri Jul 24 16:58:16 2015 (r392829) @@ -58,6 +58,54 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="b202e4ce-3114-11e5-aa32-0026551a22dc"> + <topic>shibboleth-sp -- DoS vulnerability</topic> + <affects> + <package> + <name>xmltooling</name> + <range><lt>1.5.5</lt></range> + </package> + <package> + <name>opensaml2</name> + <range><lt>2.5.5</lt></range> + </package> + <package> + <name>shibboleth-sp</name> + <range><lt>2.5.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Shibboleth consortium reports:</p> + <blockquote cite="http://shibboleth.net/community/advisories/secadv_20150721.txt"> + <p> + Shibboleth SP software crashes on well-formed but invalid XML. + </p> + <p> + The Service Provider software contains a code path with an uncaught + exception that can be triggered by an unauthenticated attacker by + supplying well-formed but schema-invalid XML in the form of SAML + metadata or SAML protocol messages. The result is a crash and so + causes a denial of service. + </p> + <p> + You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or + later. The easiest way to do so is to update the whole chain including + shibboleth-2.5.5 an opensaml2.5.5. + </p> + </blockquote> + </body> + </description> + <references> + <url>http://shibboleth.net/community/advisories/secadv_20150721.txt</url> + <cvename>CVE-2015-2684</cvename> + </references> + <dates> + <discovery>2015-07-21</discovery> + <entry>2015-07-23</entry> + </dates> + </vuln> + <vuln vid="c80b27a2-3165-11e5-8a1d-14dae9d210b8"> <topic>wordpress -- XSS vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507241658.t6OGwHer000780>