FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-08 17:51:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
22438240-1bd0-11e8-a2ec-6cc21735f730	shibboleth-sp -- vulnerable to forged user attribute data Shibboleth consortium reports: Shibboleth SP software vulnerable to additional data forgery flaws The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws similar in nature to the one addressed in an advisory last month. These bugs involve the use of other XML constructs rather than entity references, and therefore required additional mitigation once discovered. As with the previous issue, this flaw allows for changes to an XML document that do not break a digital signature but can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. As before, the use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible, in both the original and this new case. No actual attacks of this nature are known, so deployers should prioritize patching systems that expect to handle unencrypted SAML assertions. An updated version of XMLTooling-C (V1.6.4) is available that protects against these new attacks, and should help prevent similar vulnerabilities in the future. Unlike the previous case, these bugs are NOT prevented by any existing Xerces-C parser version on any platform and cannot be addressed by any means other than the updated XMLTooling-C library. The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26. Discovery 2018-02-27 Entry 2018-02-27 xmltooling < 1.6.4 xerces-c3 < 3.1.4 https://shibboleth.net/community/advisories/secadv_20180227.txt CVE-2018-0489
f7e9a1cc-0931-11ee-94b4-6cc21735f730	xmltooling -- remote resource access Shibboleth consortium reports: An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability. Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. Discovery 2023-06-12 Entry 2023-06-12 xmltooling < 3.2.4 https://shibboleth.net/community/advisories/secadv_20230612.txt

VuXML ID

Description

22438240-1bd0-11e8-a2ec-6cc21735f730

shibboleth-sp -- vulnerable to forged user attribute data

Shibboleth consortium reports:

Shibboleth SP software vulnerable to additional data forgery flaws

The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws similar in nature to the one addressed in an advisory last month.

These bugs involve the use of other XML constructs rather than entity references, and therefore required additional mitigation once discovered. As with the previous issue, this flaw allows for changes to an XML document that do not break a digital signature but can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

As before, the use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible, in both the original and this new case. No actual attacks of this nature are known, so deployers should prioritize patching systems that expect to handle unencrypted SAML assertions.

An updated version of XMLTooling-C (V1.6.4) is available that protects against these new attacks, and should help prevent similar vulnerabilities in the future.

Unlike the previous case, these bugs are NOT prevented by any existing Xerces-C parser version on any platform and cannot be addressed by any means other than the updated XMLTooling-C library.

The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26.

Discovery 2018-02-27
Entry 2018-02-27
xmltooling

< 1.6.4

xerces-c3

< 3.1.4

https://shibboleth.net/community/advisories/secadv_20180227.txt
CVE-2018-0489

f7e9a1cc-0931-11ee-94b4-6cc21735f730

xmltooling -- remote resource access

Shibboleth consortium reports:

An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability.

Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs.

While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future.

Discovery 2023-06-12
Entry 2023-06-12
xmltooling

< 3.2.4

https://shibboleth.net/community/advisories/secadv_20230612.txt