Date: Fri, 12 Jan 2018 17:39:28 +0000 (UTC) From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r458860 - head/devel/xmltooling Message-ID: <201801121739.w0CHdSTb050959@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: girgen Date: Fri Jan 12 17:39:27 2018 New Revision: 458860 URL: https://svnweb.freebsd.org/changeset/ports/458860 Log: Update to version 1.6.3 Shibboleth SP software vulnerable to forged user attribute data ==================================================================== The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. An updated version of XMLTooling-C (V1.6.3) is available that works around this specific bug. While newer versions of the parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the parser used on some supported platforms (notably Red Hat and CentOS 7), so an additional fix is being provided now that an actual DTD exploit has been identified. Security: CVE-2018-0486 Modified: head/devel/xmltooling/Makefile head/devel/xmltooling/distinfo Modified: head/devel/xmltooling/Makefile ============================================================================== --- head/devel/xmltooling/Makefile Fri Jan 12 17:23:33 2018 (r458859) +++ head/devel/xmltooling/Makefile Fri Jan 12 17:39:27 2018 (r458860) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= xmltooling -PORTVERSION= 1.6.2 +PORTVERSION= 1.6.3 CATEGORIES= devel security MASTER_SITES= http://shibboleth.net/downloads/c++-opensaml/2.6.1/ Modified: head/devel/xmltooling/distinfo ============================================================================== --- head/devel/xmltooling/distinfo Fri Jan 12 17:23:33 2018 (r458859) +++ head/devel/xmltooling/distinfo Fri Jan 12 17:39:27 2018 (r458860) @@ -1,3 +1,3 @@ -TIMESTAMP = 1510878752 -SHA256 (xmltooling-1.6.2.tar.bz2) = 9fa592b2c000f6775e34c6898a4cc21d0a0b9af3fc26a16cc327a426f9caae3c -SIZE (xmltooling-1.6.2.tar.bz2) = 580621 +TIMESTAMP = 1515778316 +SHA256 (xmltooling-1.6.3.tar.bz2) = 7efe0a1480e2169ec6634a9f4c34d6844d73788a9d5fce88d9fca661cebf9806 +SIZE (xmltooling-1.6.3.tar.bz2) = 580477
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801121739.w0CHdSTb050959>