Date: Thu, 23 Jul 2015 13:21:06 +0000 (UTC) From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392720 - in head: devel/xmltooling devel/xmltooling/files security/opensaml2 security/opensaml2/files security/shibboleth2-sp security/shibboleth2-sp/files Message-ID: <201507231321.t6NDL6dE060850@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: girgen Date: Thu Jul 23 13:21:05 2015 New Revision: 392720 URL: https://svnweb.freebsd.org/changeset/ports/392720 Log: Shibboleth SP software crashes on well-formed but invalid XML. The Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service. You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. The easiest way to do so is to update the whole chain including shibboleth-2.5.5 an opensaml2.5.5. URL: http://shibboleth.net/community/advisories/secadv_20150721.txt Security: CVE-2015-2684 Deleted: head/security/opensaml2/files/patch-doc_Makefile.in Modified: head/devel/xmltooling/Makefile head/devel/xmltooling/distinfo head/devel/xmltooling/files/patch-doc_Makefile.in head/devel/xmltooling/pkg-plist head/security/opensaml2/Makefile head/security/opensaml2/distinfo head/security/opensaml2/pkg-plist head/security/shibboleth2-sp/Makefile head/security/shibboleth2-sp/distinfo head/security/shibboleth2-sp/files/patch-shibboleth-spec head/security/shibboleth2-sp/pkg-plist Modified: head/devel/xmltooling/Makefile ============================================================================== --- head/devel/xmltooling/Makefile Thu Jul 23 11:33:00 2015 (r392719) +++ head/devel/xmltooling/Makefile Thu Jul 23 13:21:05 2015 (r392720) @@ -2,10 +2,9 @@ # $FreeBSD$ PORTNAME= xmltooling -PORTVERSION= 1.5.3 -PORTREVISION= 3 +PORTVERSION= 1.5.5 CATEGORIES= devel security -MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/2.5.3/ +MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/2.5.5/ MAINTAINER= girgen@FreeBSD.org COMMENT= Low level XML support for SAML Modified: head/devel/xmltooling/distinfo ============================================================================== --- head/devel/xmltooling/distinfo Thu Jul 23 11:33:00 2015 (r392719) +++ head/devel/xmltooling/distinfo Thu Jul 23 13:21:05 2015 (r392720) @@ -1,2 +1,2 @@ -SHA256 (xmltooling-1.5.3.tar.gz) = 90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574 -SIZE (xmltooling-1.5.3.tar.gz) = 675350 +SHA256 (xmltooling-1.5.5.tar.gz) = 5507332878b1f611efe791c8eeabd9b8327d75602949f0cb189970b8a221333f +SIZE (xmltooling-1.5.5.tar.gz) = 713161 Modified: head/devel/xmltooling/files/patch-doc_Makefile.in ============================================================================== --- head/devel/xmltooling/files/patch-doc_Makefile.in Thu Jul 23 11:33:00 2015 (r392719) +++ head/devel/xmltooling/files/patch-doc_Makefile.in Thu Jul 23 13:21:05 2015 (r392720) @@ -1,6 +1,6 @@ ---- doc/Makefile.in.orig 2011-07-25 16:15:04.474558171 -0400 -+++ doc/Makefile.in 2011-07-25 16:16:15.041554095 -0400 -@@ -233,7 +233,7 @@ +--- doc/Makefile.in.orig 2015-07-09 17:28:24.000000000 +0200 ++++ doc/Makefile.in 2015-07-21 20:54:22.000000000 +0200 +@@ -317,7 +317,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign @@ -9,22 +9,12 @@ docfiles = \ README.txt \ LICENSE.txt \ -@@ -243,7 +243,7 @@ - CURL.LICENSE - - pkgdoc_DATA = $(docfiles) --EXTRA_DIST = $(docfiles) api -+EXTRA_DIST = $(docfiles) - all: all-am - - .SUFFIXES: -@@ -455,10 +455,6 @@ +@@ -547,9 +547,6 @@ install-data-hook: - if test -d api ; then \ - cp -r api $(DESTDIR)$(pkgdocdir); \ -- rm -rf `find $(DESTDIR)$(pkgdocdir)/api -name .svn`; \ - fi; # Tell versions [3.59,3.63) of GNU make to not export all variables. Modified: head/devel/xmltooling/pkg-plist ============================================================================== --- head/devel/xmltooling/pkg-plist Thu Jul 23 11:33:00 2015 (r392719) +++ head/devel/xmltooling/pkg-plist Thu Jul 23 13:21:05 2015 (r392720) @@ -82,10 +82,10 @@ include/xmltooling/validation/ValidatorS include/xmltooling/version.h lib/libxmltooling-lite.so lib/libxmltooling-lite.so.6 -lib/libxmltooling-lite.so.6.0.3 +lib/libxmltooling-lite.so.6.0.5 lib/libxmltooling.so lib/libxmltooling.so.6 -lib/libxmltooling.so.6.0.3 +lib/libxmltooling.so.6.0.5 libdata/pkgconfig/xmltooling.pc share/xml/xmltooling/catalog.xml share/xml/xmltooling/soap-envelope.xsd Modified: head/security/opensaml2/Makefile ============================================================================== --- head/security/opensaml2/Makefile Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/opensaml2/Makefile Thu Jul 23 13:21:05 2015 (r392720) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= opensaml2 -PORTVERSION= 2.5.4 +PORTVERSION= 2.5.5 CATEGORIES= security MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/ DISTNAME= opensaml-${PORTVERSION} Modified: head/security/opensaml2/distinfo ============================================================================== --- head/security/opensaml2/distinfo Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/opensaml2/distinfo Thu Jul 23 13:21:05 2015 (r392720) @@ -1,2 +1,2 @@ -SHA256 (opensaml-2.5.4.tar.gz) = 562d3b5fe7b29aefbad9d5910508baf2edcb87327e51a4f239076e54663763e6 -SIZE (opensaml-2.5.4.tar.gz) = 738788 +SHA256 (opensaml-2.5.5.tar.gz) = 133bee4f1cfe79bff33d358391806eaef575cd02db9d3eb532438b24a97b12e0 +SIZE (opensaml-2.5.5.tar.gz) = 739776 Modified: head/security/opensaml2/pkg-plist ============================================================================== --- head/security/opensaml2/pkg-plist Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/opensaml2/pkg-plist Thu Jul 23 13:21:05 2015 (r392720) @@ -49,13 +49,12 @@ include/saml/util/CommonDomainCookie.h include/saml/util/SAMLConstants.h lib/libsaml.so lib/libsaml.so.8 -lib/libsaml.so.8.0.4 +lib/libsaml.so.8.0.5 libdata/pkgconfig/opensaml.pc %%PORTDOCS%%%%DOCSDIR%%/README.txt %%PORTDOCS%%%%DOCSDIR%%/LICENSE.txt %%PORTDOCS%%%%DOCSDIR%%/NOTICE.txt %%PORTDOCS%%%%DOCSDIR%%/LOG4CPP.LICENSE -%%PORTDOCS%%@dir %%DOCSDIR%%/api share/xml/opensaml/saml20-catalog.xml share/xml/opensaml/saml10-catalog.xml share/xml/opensaml/saml11-catalog.xml Modified: head/security/shibboleth2-sp/Makefile ============================================================================== --- head/security/shibboleth2-sp/Makefile Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/shibboleth2-sp/Makefile Thu Jul 23 13:21:05 2015 (r392720) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= shibboleth-sp -PORTVERSION= 2.5.4 +PORTVERSION= 2.5.5 CATEGORIES= security www MASTER_SITES= http://shibboleth.net/downloads/service-provider/${PORTVERSION}/ @@ -26,6 +26,8 @@ GROUPS= shibd USE_APACHE= 22+ USE_OPENSSL= yes +INSTALL_TARGET= install-strip + .include <bsd.port.pre.mk> .if ${APACHE_VERSION} == 22 Modified: head/security/shibboleth2-sp/distinfo ============================================================================== --- head/security/shibboleth2-sp/distinfo Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/shibboleth2-sp/distinfo Thu Jul 23 13:21:05 2015 (r392720) @@ -1,2 +1,2 @@ -SHA256 (shibboleth-sp-2.5.4.tar.gz) = be0adfb324d1831e55b2ce281c7f8bd27bb9bdd65f1d0e9d8019e4cde1ceb6bb -SIZE (shibboleth-sp-2.5.4.tar.gz) = 993532 +SHA256 (shibboleth-sp-2.5.5.tar.gz) = 30da36e0bba2ce4606a9effc37c05cd110dafdd6d3141468c4aa0f57ce4d96ce +SIZE (shibboleth-sp-2.5.5.tar.gz) = 1003433 Modified: head/security/shibboleth2-sp/files/patch-shibboleth-spec ============================================================================== --- head/security/shibboleth2-sp/files/patch-shibboleth-spec Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/shibboleth2-sp/files/patch-shibboleth-spec Thu Jul 23 13:21:05 2015 (r392720) @@ -1,6 +1,6 @@ ---- shibboleth.spec.in.orig 2013-06-16 21:43:47.000000000 +0200 -+++ shibboleth.spec.in 2013-07-29 14:42:22.887422969 +0200 -@@ -59,7 +59,7 @@ +--- shibboleth.spec.in.orig 2015-07-20 21:31:32.000000000 +0200 ++++ shibboleth.spec.in 2015-07-22 17:45:15.000000000 +0200 +@@ -71,7 +71,7 @@ %if "%{_vendor}" == "suse" %define pkgdocdir %{_docdir}/shibboleth %else @@ -9,7 +9,7 @@ %endif %description -@@ -203,14 +203,6 @@ +@@ -275,14 +275,6 @@ /sbin/ldconfig %endif @@ -18,7 +18,7 @@ -if [ -f sp-key.pem ] ; then - %{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || : -else -- sh ./keygen.sh -b -u %{runuser} -g %{runuser} +- /bin/sh ./keygen.sh -b -u %{runuser} -g %{runuser} -fi - # Fix ownership of log files (even on new installs, if they're left from an older one). Modified: head/security/shibboleth2-sp/pkg-plist ============================================================================== --- head/security/shibboleth2-sp/pkg-plist Thu Jul 23 11:33:00 2015 (r392719) +++ head/security/shibboleth2-sp/pkg-plist Thu Jul 23 13:21:05 2015 (r392720) @@ -136,7 +136,7 @@ include/shibsp/util/PropertySet.h include/shibsp/util/SPConstants.h include/shibsp/util/TemplateParameters.h include/shibsp/version.h -lib/libshibsp.so.6.0.4 +lib/libshibsp.so.6.0.5 lib/libshibsp.so.6 lib/libshibsp.so lib/shibboleth/adfs.so @@ -146,7 +146,7 @@ lib/shibboleth/plugins-lite.so lib/shibboleth/plugins.so %%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so %%WITH_APACHE_24%%lib/shibboleth/mod_shib_24.so -lib/libshibsp-lite.so.6.0.4 +lib/libshibsp-lite.so.6.0.5 lib/libshibsp-lite.so.6 lib/libshibsp-lite.so sbin/shibd @@ -170,7 +170,6 @@ share/doc/shibboleth/OPENSSL.LICENSE share/doc/shibboleth/README.txt share/doc/shibboleth/RELEASE.txt share/doc/shibboleth/main.css -@dir share/doc/shibboleth/api @dir share/doc/shibboleth @dir lib/shibboleth @dir share/xml/shibboleth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507231321.t6NDL6dE060850>