Re: CVE requests for shibboleth service provider

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://shibboleth.net/community/advisories/secadv_20150319.txt
>
> The SP software contains an authenticated denial of service
> vulnerability that results in a crash on certain kinds of malformed
> SAML messages. The vulnerability is only triggered when special
> conditions are met and after a message or assertion signature
> has been verified, so exploitation requires a message produced
> under a trusted key
 
> Recommendations
> -----------------
> Update to V2.5.4 or later of the Shibboleth SP software

Use CVE-2015-2684 for this Shibboleth Service Provider issue. The
vendor's secadv_20150319.txt advisory is about this CVE in addition to
unrelated CVEs in two third-party components (Xerces-C and OpenSSL).

> https://issues.shibboleth.net/jira/issues/?filter=10771

We currently don't know whether CVE-2015-2684 is one of the above 24
issues on the "Shibboleth 2 SP 2.5.4 Fixes" list, or whether the
CVE-2015-2684 fix is separate from all of those.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVEFBmAAoJEKllVAevmvmsbCEH/2jB7DlY+p1/vTpCMHe3iTXk
HvSfm4Qkq89GmXiChEbGyWY0p4FztSIvX679SWZbgNjnr0RcGQ4HziP9AjV2+7n/
2FxfN/sATcIyTZpQM78S2g9oP5AUFV3WlO1U5cod+SzNYWAVgfcb3hyAHqp7ftzf
epWlNlLyW2ZPnhYJHXVF67kUGcLWab0PZINKtH1Z5x7ANIFzXkDNCiZqI2EFOFtg
m03OKQHCzZUZghOvbWeSic/VfXUwuG5yxzEwixce/euBdUF0b9miwnJy6fEfOwbH
7eRlTBaMRpf9+IVk9UVo+1JCtIUzq3Ww+9ULP1qhxX93FilRATD68DNWvILb2Mg=
=lPwL
-----END PGP SIGNATURE-----