Date: Fri, 24 Jul 2015 10:23:12 -0600 From: Brad Davis <brd@FreeBSD.org> To: Palle Girgensohn <girgen@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: Re: svn commit: r392739 - branches/2015Q2/security/vuxml Message-ID: <20150724162312.GO94853@valentine.liquidneon.com> In-Reply-To: <201507231624.t6NGOPAZ039747@repo.freebsd.org> References: <201507231624.t6NGOPAZ039747@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 23, 2015 at 04:24:25PM +0000, Palle Girgensohn wrote: > Author: girgen > Date: Thu Jul 23 16:24:25 2015 > New Revision: 392739 > URL: https://svnweb.freebsd.org/changeset/ports/392739 > > Log: > Shibboleth SP software crashes on well-formed but invalid XML. > > The Service Provider software contains a code path with an uncaught > exception that can be triggered by an unauthenticated attacker by > supplying well-formed but schema-invalid XML in the form of SAML > metadata or SAML protocol messages. The result is a crash and so > causes a denial of service. > > You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. > The easiest way to do so is to update the whole chain including > shibboleth-2.5.5 an opensaml2.5.5. > > URL: http://shibboleth.net/community/advisories/secadv_20150721.txt > Security: CVE-2015-2684 > Approved by: ports-secteam > > Modified: > branches/2015Q2/security/vuxml/vuln.xml Shouldn't this have gone into HEAD? I thought vuln.xml was only used in head, not from the branches. Regards, Brad Davis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150724162312.GO94853>