Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 23 Sep 2009 19:46:05 +0000
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Three Shibboleth issues

1)

| The Shibboleth software includes code to encode and decode URL
| information, and has been shown to crash on certain malformed
| encoded URLs due to a buffer overrun.

(Also potential pre-auth code execution.)

<http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>


2)

NUL injection in certificate names:

<http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>


3)

| The Shibboleth software supports the use of SAML metadata to
| identify authentication and encryption keys by means of the
| <KeyDescriptor> element. In previous versions, the software
| was improperly ignoring the "use" attribute and treating all
| elements as valid for both signing/TLS and encryption.

<http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>

Isolated patches are available here:

<http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2009-September/001213.html>

Be careful when applying them---one hunk touches an inline function in
a header-only C++ class with virtual functions (see the mailing list
discussion).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ