From nobody Thu Mar 21 14:41:20 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V0p743NwZz5DmX1; Thu, 21 Mar 2024 14:41:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V0p741Qzfz4clZ; Thu, 21 Mar 2024 14:41:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711032080; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O8K/IXP2YluUhL1y8VCinr/USy/pQIEGAh8VCy3awY4=; b=fzCZps804/nMJebhtJsOtxbn6bZU4QzSjz/VVQiZwD2mgd1qg8Ip9mEmivNSA+2av8gvTK dxvXBF5T7PU0xfvS5GV/vRy/ZjP/gYDN05l7che5+CGuqf7OXTkNM5Q1lWuglJ8nv852UF F66tONdJhif5SS7I7bfzgYccWTFDZhnqeHCiLzTvoY7VhcUOHVdXmgl/ikLv7EsyiqVCL1 betltcEiZr8KRG4Oa5OUpvBrENiH3zebdRvu50GYGsFqy04n8+cqfnVjz7dqF76zOfYrj6 wRhhIi2uVTH+dRfnKfg2Z0lfpAd1fE/eMGczDwrj4cVLtYbbSl7X6Bg/Rqr++Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711032080; a=rsa-sha256; cv=none; b=VCEU6OqTyb8mkwFpkYDD8fI8yKUxm1KbgkjWeyMlSzwypbl0h26DlUE+sRtIsWaPZMiOwG aVrwJslCUsXqr2Ia8Yihi/3KlpjFI2kszBT2gDyaNtNlsXzhqKkUNfDSmpRapdoYkPiyP5 1A30yTgRjQDVaXsRQiZ2WP0S7ZQ+vvK/t4qwPRSxG/g/HYXZJ2DKmouOijcXqpxd9EarvZ 7YS1d4xTJiyPNA6qKzzhqQloRbNYX0ALYG9xVzCf8Igui5hJYe/BVJTTfXBdy9byqGP4TX uL16SlonL0R6qqLNKmU0rC/zrvJFi4E7JfpxGg4Z5AqatYRnE2VC1Q47AP05yg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711032080; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O8K/IXP2YluUhL1y8VCinr/USy/pQIEGAh8VCy3awY4=; b=uti4RKeOcFYJcU7JdTaspJc7FupTjAj9wkzjD0ABOVRj6hOlv2l6zz2A7F/s7GqAz+XM6M KuBZYgahoTvOPnQfWza5v4lg0/hQ5iu4AXcYQukI0gsPNpIcg+oCG0ZHayatoq+RG7lxiX gMgWh86RQhmLfyLK3FIY6CzVDT4UIVnV5vWcboD+VkpxWlT9WsdecTPVAddClCBzMKwPxk rbNqhZgbvRcdprDNM/eP7hcJS+FX74pntrudhNZLc/qr7fJHqd81MRYn1jo/Hj17esP7oV N+NUth0l3W+fMbBdPb/HWzMH2ZP9pGjgk3sceWssw9QNyQs9Gum2MeNu0wPr7g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V0p7411rmzfnK; Thu, 21 Mar 2024 14:41:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42LEfKTG082244; Thu, 21 Mar 2024 14:41:20 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42LEfKVq082241; Thu, 21 Mar 2024 14:41:20 GMT (envelope-from git) Date: Thu, 21 Mar 2024 14:41:20 GMT Message-Id: <202403211441.42LEfKVq082241@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ryan Steinmetz Subject: git: a4a3e3be3c60 - main - security/shibboleth-idp: Document CAS SSRF vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zi X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a4a3e3be3c6049b11f2d397fa2a4b1651544342a Auto-Submitted: auto-generated The branch main has been updated by zi: URL: https://cgit.FreeBSD.org/ports/commit/?id=a4a3e3be3c6049b11f2d397fa2a4b1651544342a commit a4a3e3be3c6049b11f2d397fa2a4b1651544342a Author: Ryan Steinmetz AuthorDate: 2024-03-21 14:41:14 +0000 Commit: Ryan Steinmetz CommitDate: 2024-03-21 14:41:14 +0000 security/shibboleth-idp: Document CAS SSRF vulnerability --- security/vuxml/vuln/2024.xml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 3aeb70ba721b..8dd45661c4c8 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,31 @@ + + security/shibboleth-idp -- CAS service SSRF + + + shibboleth-idp + 4.3.04.3.2 + 5.0.05.1.1 + + + + +

Shibboleth Developers report:

+
+

The Identity Provider's CAS support relies on a function in the + Spring Framework to parse CAS service URLs and append the ticket + parameter.

+
+ +
+ + https://shibboleth.net/community/advisories/secadv_20240320.txt + + + 2024-03-20 + 2024-03-21 + +
+ databases/mongodb* -- Improper Certificate Validation