diff options
| author | girgen <girgen@FreeBSD.org> | 2018-01-20 00:43:35 +0800 |
|---|---|---|
| committer | girgen <girgen@FreeBSD.org> | 2018-01-20 00:43:35 +0800 |
| commit | e343ad14e15d4917ddaf9d46cc1dc926186196a0 (patch) | |
| tree | 639467778156f501765fdf593324d9068d9dff75 /security | |
| parent | 89d41c5ff514d3d3970c2e365e2b720d42a32403 (diff) | |
| download | freebsd-ports-gnome-e343ad14e15d4917ddaf9d46cc1dc926186196a0.tar.gz freebsd-ports-gnome-e343ad14e15d4917ddaf9d46cc1dc926186196a0.tar.zst freebsd-ports-gnome-e343ad14e15d4917ddaf9d46cc1dc926186196a0.zip | |
Add more information about the recents security notice for shibboleth2-sp
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 62664a550f9e..f42ce3dd5109 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -338,6 +338,10 @@ Notes: <name>xmltooling</name> <range><lt>1.6.3</lt></range> </package> + <package> + <name>xerces-c3</name> + <range><lt>3.1.4</lt></range> + </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> @@ -360,6 +364,14 @@ Notes: result in impersonation attacks and exposure of protected information. </p> + <p> + While newer versions of the xerces-c3 parser are configured by the + SP into disallowing the use of a DTD via an environment variable, + this feature is not present in the xerces-c3 parser before version + 3.1.4, so an additional fix is being provided now that an actual DTD + exploit has been identified. Xerces-c3-3.1.4 was committed to the + ports tree already on 2016-07-26. + </p> </blockquote> </body> </description> |