Date: Fri, 24 Jul 2015 11:54:04 -0500 From: Mark Felder <feld@feld.me> To: Brad Davis <brd@FreeBSD.org>, Palle Girgensohn <girgen@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: Re: svn commit: r392739 - branches/2015Q2/security/vuxml Message-ID: <1437756844.2148972.332341833.7702303E@webmail.messagingengine.com> In-Reply-To: <20150724162312.GO94853@valentine.liquidneon.com> References: <201507231624.t6NGOPAZ039747@repo.freebsd.org> <20150724162312.GO94853@valentine.liquidneon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 24, 2015, at 11:23, Brad Davis wrote: > On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote: > > Author: girgen > > Date: Thu Jul 23 16:24:25 2015 > > New Revision: 392739 > > URL: https://svnweb.freebsd.org/changeset/ports/392739 > > > > Log: > > Shibboleth SP software crashes on well-formed but invalid XML. > > > > The Service Provider software contains a code path with an uncaught > > exception that can be triggered by an unauthenticated attacker by > > supplying well-formed but schema-invalid XML in the form of SAML > > metadata or SAML protocol messages. The result is a crash and so > > causes a denial of service. > > > > You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. > > The easiest way to do so is to update the whole chain including > > shibboleth-2.5.5 an opensaml2.5.5. > > > > URL: http://shibboleth.net/community/advisories/secadv_20150721.txt > > Security: CVE-2015-2684 > > Approved by: ports-secteam > > > > Modified: > > branches/2015Q2/security/vuxml/vuln.xml > > Shouldn't this have gone into HEAD? I thought vuln.xml was only used in > head, not from the branches. > And not even the current branch... That's weird. Can we get old branches locked down a bit further?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1437756844.2148972.332341833.7702303E>