• Palle Girgensohn's avatar
    Shibboleth SP software crashes on well-formed but invalid XML. · 7d7c2271
    Palle Girgensohn authored
    The Service Provider software contains a code path with an uncaught
    exception that can be triggered by an unauthenticated attacker by
    supplying well-formed but schema-invalid XML in the form of SAML
    metadata or SAML protocol messages. The result is a crash and so
    causes a denial of service.
    You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
    The easiest way to do so is to update the whole chain including
    shibboleth-2.5.5 an opensaml2.5.5.
    URL:    	http://shibboleth.net/community/advisories/secadv_20150721.txt
    Security:	CVE-2015-2684
    Approved by:	ports-secteam