shibboleth-sp -- DoS vulnerability

2015-07-21T00:00:00
ID B202E4CE-3114-11E5-AA32-0026551A22DC
Type freebsd
Reporter FreeBSD
Modified 2015-07-21T00:00:00

Description

Shibboleth consortium reports:

    Shibboleth SP software crashes on well-formed but invalid XML.


    The Service Provider software contains a code path with an uncaught
    exception that can be triggered by an unauthenticated attacker by
    supplying well-formed but schema-invalid XML in the form of SAML
    metadata or SAML protocol messages. The result is a crash and so
    causes a denial of service.


    You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or
    later. The easiest way to do so is to update the whole chain including
    shibboleth-2.5.5 an opensaml2.5.5.