Date: Tue, 27 Feb 2018 15:22:33 +0000 (UTC) From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r463145 - head/security/vuxml Message-ID: <201802271522.w1RFMXKt037661@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: girgen Date: Tue Feb 27 15:22:33 2018 New Revision: 463145 URL: https://svnweb.freebsd.org/changeset/ports/463145 Log: Document security problems with shibboleth-sp Security: CVE-2018-0489 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Feb 27 15:04:47 2018 (r463144) +++ head/security/vuxml/vuln.xml Tue Feb 27 15:22:33 2018 (r463145) @@ -58,6 +58,92 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="22438240-1bd0-11e8-a2ec-6cc21735f730"> + <topic>shibboleth-sp -- vulnerable to forged user attribute data</topic> + <affects> + <package> + <name>xmltooling</name> + <range><lt>1.6.4</lt></range> + </package> + <package> + <name>xerces-c3</name> + <range><lt>3.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Shibboleth consortium reports:</p> + <blockquote cite="https://shibboleth.net/community/advisories/secadv_20180227.txt">; + <p> + Shibboleth SP software vulnerable to additional data forgery flaws + </p> + <p> + The XML processing performed by the Service Provider software has + been found to be vulnerable to new flaws similar in nature to the + one addressed in an advisory last month. + </p> + <p> + These bugs involve the use of other XML constructs rather than + entity references, and therefore required additional mitigation once + discovered. As with the previous issue, this flaw allows for + changes to an XML document that do not break a digital signature but + can alter the user data passed through to applications behind the SP + and result in impersonation attacks and exposure of protected + information. + </p> + <p> + As before, the use of XML Encryption is a significant mitigation, + but we have not dismissed the possibility that attacks on the + Response "envelope" may be possible, in both the original and this + new case. No actual attacks of this nature are known, so deployers + should prioritize patching systems that expect to handle unencrypted + SAML assertions. + </p> + <p> + An updated version of XMLTooling-C (V1.6.4) is available that + protects against these new attacks, and should help prevent similar + vulnerabilities in the future. + </p> + <p> + Unlike the previous case, these bugs are NOT prevented by any + existing Xerces-C parser version on any platform and cannot be + addressed by any means other than the updated XMLTooling-C library. + </p> + <p> + The Service Provider software relies on a generic XML parser to + process SAML responses and there are limitations in older versions + of the parser that make it impossible to fully disable Document Type + Definition (DTD) processing. + </p> + <p> + Through addition/manipulation of a DTD, it's possible to make + changes to an XML document that do not break a digital signature but + are mishandled by the SP and its libraries. These manipulations can + alter the user data passed through to applications behind the SP and + result in impersonation attacks and exposure of protected + information. + </p> + <p> + While newer versions of the xerces-c3 parser are configured by the + SP into disallowing the use of a DTD via an environment variable, + this feature is not present in the xerces-c3 parser before version + 3.1.4, so an additional fix is being provided now that an actual DTD + exploit has been identified. Xerces-c3-3.1.4 was committed to the + ports tree already on 2016-07-26. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://shibboleth.net/community/advisories/secadv_20180227.txt</url>; + <cvename>CVE-2018-0489</cvename> + </references> + <dates> + <discovery>2018-02-27</discovery> + <entry>2018-02-27</entry> + </dates> + </vuln> + <vuln vid="57580fcc-1a61-11e8-97e0-00e04c1ea73d"> <topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802271522.w1RFMXKt037661>