[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Three Shibboleth issues
From:       Florian Weimer <fw () deneb ! enyo ! de>
Date:       2009-09-23 19:46:05
Message-ID: 87ljk51m2q.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]

1)

| The Shibboleth software includes code to encode and decode URL
| information, and has been shown to crash on certain malformed
| encoded URLs due to a buffer overrun.

(Also potential pre-auth code execution.)

<http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>


2)

NUL injection in certificate names:

<http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>


3)

| The Shibboleth software supports the use of SAML metadata to
| identify authentication and encryption keys by means of the
| <KeyDescriptor> element. In previous versions, the software
| was improperly ignoring the "use" attribute and treating all
| elements as valid for both signing/TLS and encryption.

<http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>

Isolated patches are available here:

<http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2009-September/001213.html>

Be careful when applying them---one hunk touches an inline function in
a header-only C++ class with virtual functions (see the mailing list
discussion).
[prev in list] [next in list] [prev in thread] [next in thread]