oss-sec mailing list archives
Re: CVE requests for shibboleth service provider
From: Yves-Alexis Perez <corsac () debian org>
Date: Mon, 23 Mar 2015 22:40:14 +0100
On lun., 2015-03-23 at 13:44 -0400, cve-assign () mitre org wrote:
Recommendations ----------------- Update to V2.5.4 or later of the Shibboleth SP softwareUse CVE-2015-2684 for this Shibboleth Service Provider issue. The vendor's secadv_20150319.txt advisory is about this CVE in addition to unrelated CVEs in two third-party components (Xerces-C and OpenSSL).https://issues.shibboleth.net/jira/issues/?filter=10771We currently don't know whether CVE-2015-2684 is one of the above 24 issues on the "Shibboleth 2 SP 2.5.4 Fixes" list, or whether the CVE-2015-2684 fix is separate from all of those.
Thanks, as far as I can tell, the security vulnerability is not on that list. The upstream patch is http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3894 and references SSPCPP-632 which is still not public. Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE requests for shibboleth service provider Yves-Alexis Perez (Mar 23)
- Re: CVE requests for shibboleth service provider cve-assign (Mar 23)
- Re: CVE requests for shibboleth service provider Yves-Alexis Perez (Mar 23)
- Re: CVE requests for shibboleth service provider cve-assign (Mar 23)