oss-sec mailing list archives
Three Shibboleth issues
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 23 Sep 2009 19:46:05 +0000
1) | The Shibboleth software includes code to encode and decode URL | information, and has been shown to crash on certain malformed | encoded URLs due to a buffer overrun. (Also potential pre-auth code execution.) <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt> 2) NUL injection in certificate names: <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt> 3) | The Shibboleth software supports the use of SAML metadata to | identify authentication and encryption keys by means of the | <KeyDescriptor> element. In previous versions, the software | was improperly ignoring the "use" attribute and treating all | elements as valid for both signing/TLS and encryption. <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt> Isolated patches are available here: <http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2009-September/001213.html> Be careful when applying them---one hunk touches an inline function in a header-only C++ class with virtual functions (see the mailing list discussion).
Current thread:
- Three Shibboleth issues Florian Weimer (Sep 23)