Date: Mon, 12 Jun 2023 15:09:33 GMT From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 5559dc467969 - main - security/vuxml: add devel/xmltooling vulnerability Message-ID: <202306121509.35CF9Xw5013501@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by girgen: URL: https://cgit.FreeBSD.org/ports/commit/?id=5559dc4679695cccad5e1c8e95a31ed7ff23b60c commit 5559dc4679695cccad5e1c8e95a31ed7ff23b60c Author: Palle Girgensohn <girgen@FreeBSD.org> AuthorDate: 2023-06-12 15:07:21 +0000 Commit: Palle Girgensohn <girgen@FreeBSD.org> CommitDate: 2023-06-12 15:08:30 +0000 security/vuxml: add devel/xmltooling vulnerability --- security/vuxml/vuln/2023.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index e98e30e6a66a..7c852c80a870 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,39 @@ + <vuln vid="f7e9a1cc-0931-11ee-94b4-6cc21735f730"> + <topic>xmltooling -- remote resource access</topic> + <affects> + <package> + <name>xmltooling</name> + <range><lt>3.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Shibboleth consortium reports:</p> + <blockquote cite="https://shibboleth.net/community/advisories/secadv_20230612.txt">; + <p>An updated version of the XMLTooling library that is part of the + OpenSAML and Shibboleth Service Provider software is now available + which corrects a server-side request forgery (SSRF) vulnerability.</p> + <p>Including certain legal but "malicious in intent" content in the + KeyInfo element defined by the XML Signature standard will result + in attempts by the SP's shibd process to dereference untrusted + URLs.</p> + <p>While the content of the URL must be supplied within the message + and does not include any SP internal state or dynamic content, + there is at minimum a risk of denial of service, and the attack + could be combined with others to create more serious vulnerabilities + in the future.</p> + </blockquote> + </body> + </description> + <references> + <url>https://shibboleth.net/community/advisories/secadv_20230612.txt</url>; + </references> + <dates> + <discovery>2023-06-12</discovery> + <entry>2023-06-12</entry> + </dates> + </vuln> + <vuln vid="fdca9418-06f0-11ee-abe2-ecf4bbefc954"> <topic>acme.sh -- closes potential remote vuln</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202306121509.35CF9Xw5013501>