[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Three Shibboleth issues
From: Florian Weimer <fw () deneb ! enyo ! de>
Date: 2009-09-23 19:46:05
Message-ID: 87ljk51m2q.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]
1)
| The Shibboleth software includes code to encode and decode URL
| information, and has been shown to crash on certain malformed
| encoded URLs due to a buffer overrun.
(Also potential pre-auth code execution.)
<http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>
2)
NUL injection in certificate names:
<http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>
3)
| The Shibboleth software supports the use of SAML metadata to
| identify authentication and encryption keys by means of the
| <KeyDescriptor> element. In previous versions, the software
| was improperly ignoring the "use" attribute and treating all
| elements as valid for both signing/TLS and encryption.
<http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>
Isolated patches are available here:
<http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2009-September/001213.html>
Be careful when applying them---one hunk touches an inline function in
a header-only C++ class with virtual functions (see the mailing list
discussion).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic