FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

shibboleth-sp -- DoS vulnerability

Affected packages
xmltooling < 1.5.5
opensaml2 < 2.5.5
shibboleth-sp < 2.5.5

Details

VuXML ID b202e4ce-3114-11e5-aa32-0026551a22dc
Discovery 2015-07-21
Entry 2015-07-23

Shibboleth consortium reports:

Shibboleth SP software crashes on well-formed but invalid XML.

The Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service.

You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. The easiest way to do so is to update the whole chain including shibboleth-2.5.5 an opensaml2.5.5.

References

CVE Name CVE-2015-2684
URL http://shibboleth.net/community/advisories/secadv_20150721.txt