Shibboleth SP software crashes on well-formed but invalid XML.

The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
The easiest way to do so is to update the whole chain including
shibboleth-2.5.5 an opensaml2.5.5.

URL:    	http://shibboleth.net/community/advisories/secadv_20150721.txt
Security:	CVE-2015-2684

8 files changed, 16 insertions, 27 deletions

diff --git a/security/opensaml2/Makefile b/security/opensaml2/Makefile
index 1f947d5e888e..864e8bd57c97 100644
--- a/security/opensaml2/Makefile
+++ b/security/opensaml2/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	opensaml2
-PORTVERSION=	2.5.4
+PORTVERSION=	2.5.5
 CATEGORIES=	security
 MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/
 DISTNAME=	opensaml-${PORTVERSION}
diff --git a/security/opensaml2/distinfo b/security/opensaml2/distinfo
index 289aaeed5bbd..dbc70343ce3c 100644
--- a/security/opensaml2/distinfo
+++ b/security/opensaml2/distinfo
@@ -1,2 +1,2 @@
-SHA256 (opensaml-2.5.4.tar.gz) = 562d3b5fe7b29aefbad9d5910508baf2edcb87327e51a4f239076e54663763e6
-SIZE (opensaml-2.5.4.tar.gz) = 738788
+SHA256 (opensaml-2.5.5.tar.gz) = 133bee4f1cfe79bff33d358391806eaef575cd02db9d3eb532438b24a97b12e0
+SIZE (opensaml-2.5.5.tar.gz) = 739776
diff --git a/security/opensaml2/files/patch-doc_Makefile.in b/security/opensaml2/files/patch-doc_Makefile.in
deleted file mode 100644
index d3961e9d2ef7..000000000000
--- a/security/opensaml2/files/patch-doc_Makefile.in
+++ /dev/null
@@ -1,11 +0,0 @@
---- doc/Makefile.in.orig
-+++ doc/Makefile.in
-@@ -231,7 +231,7 @@
- 	LOG4CPP.LICENSE
- 
- pkgdoc_DATA = $(docfiles)
--EXTRA_DIST = $(docfiles) api
-+EXTRA_DIST = $(docfiles)
- all: all-am
- 
- .SUFFIXES:
diff --git a/security/opensaml2/pkg-plist b/security/opensaml2/pkg-plist
index f5eaef54c063..460b7c1106da 100644
--- a/security/opensaml2/pkg-plist
+++ b/security/opensaml2/pkg-plist
@@ -49,13 +49,12 @@ include/saml/util/CommonDomainCookie.h
 include/saml/util/SAMLConstants.h
 lib/libsaml.so
 lib/libsaml.so.8
-lib/libsaml.so.8.0.4
+lib/libsaml.so.8.0.5
 libdata/pkgconfig/opensaml.pc
 %%PORTDOCS%%%%DOCSDIR%%/README.txt
 %%PORTDOCS%%%%DOCSDIR%%/LICENSE.txt
 %%PORTDOCS%%%%DOCSDIR%%/NOTICE.txt
 %%PORTDOCS%%%%DOCSDIR%%/LOG4CPP.LICENSE
-%%PORTDOCS%%@dir %%DOCSDIR%%/api
 share/xml/opensaml/saml20-catalog.xml
 share/xml/opensaml/saml10-catalog.xml
 share/xml/opensaml/saml11-catalog.xml
diff --git a/security/shibboleth2-sp/Makefile b/security/shibboleth2-sp/Makefile
index b94e6fb745b4..abe23bdc6921 100644
--- a/security/shibboleth2-sp/Makefile
+++ b/security/shibboleth2-sp/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	shibboleth-sp
-PORTVERSION=	2.5.4
+PORTVERSION=	2.5.5
 CATEGORIES=	security www
 MASTER_SITES=	http://shibboleth.net/downloads/service-provider/${PORTVERSION}/
 
@@ -26,6 +26,8 @@ GROUPS=		shibd
 USE_APACHE=	22+
 USE_OPENSSL=	yes
 
+INSTALL_TARGET=	install-strip
+
 .include <bsd.port.pre.mk>
 
 .if ${APACHE_VERSION} == 22
diff --git a/security/shibboleth2-sp/distinfo b/security/shibboleth2-sp/distinfo
index ab471b6a31ac..142a465f15e5 100644
--- a/security/shibboleth2-sp/distinfo
+++ b/security/shibboleth2-sp/distinfo
@@ -1,2 +1,2 @@
-SHA256 (shibboleth-sp-2.5.4.tar.gz) = be0adfb324d1831e55b2ce281c7f8bd27bb9bdd65f1d0e9d8019e4cde1ceb6bb
-SIZE (shibboleth-sp-2.5.4.tar.gz) = 993532
+SHA256 (shibboleth-sp-2.5.5.tar.gz) = 30da36e0bba2ce4606a9effc37c05cd110dafdd6d3141468c4aa0f57ce4d96ce
+SIZE (shibboleth-sp-2.5.5.tar.gz) = 1003433
diff --git a/security/shibboleth2-sp/files/patch-shibboleth-spec b/security/shibboleth2-sp/files/patch-shibboleth-spec
index 5c9b249e5858..b0c0feae05f0 100644
--- a/security/shibboleth2-sp/files/patch-shibboleth-spec
+++ b/security/shibboleth2-sp/files/patch-shibboleth-spec
@@ -1,6 +1,6 @@
---- shibboleth.spec.in.orig	2013-06-16 21:43:47.000000000 +0200
-+++ shibboleth.spec.in	2013-07-29 14:42:22.887422969 +0200
-@@ -59,7 +59,7 @@
+--- shibboleth.spec.in.orig	2015-07-20 21:31:32.000000000 +0200
++++ shibboleth.spec.in	2015-07-22 17:45:15.000000000 +0200
+@@ -71,7 +71,7 @@
  %if "%{_vendor}" == "suse"
  %define pkgdocdir %{_docdir}/shibboleth
  %else
@@ -9,7 +9,7 @@
  %endif
  
  %description
-@@ -203,14 +203,6 @@
+@@ -275,14 +275,6 @@
  /sbin/ldconfig
  %endif
  
@@ -18,7 +18,7 @@
 -if [ -f sp-key.pem ] ; then
 -	%{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
 -else
--	sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+-	/bin/sh ./keygen.sh -b -u %{runuser} -g %{runuser}
 -fi
 -
  # Fix ownership of log files (even on new installs, if they're left from an older one).
diff --git a/security/shibboleth2-sp/pkg-plist b/security/shibboleth2-sp/pkg-plist
index 13e029f36cc9..0774c52273dd 100644
--- a/security/shibboleth2-sp/pkg-plist
+++ b/security/shibboleth2-sp/pkg-plist
@@ -136,7 +136,7 @@ include/shibsp/util/PropertySet.h
 include/shibsp/util/SPConstants.h
 include/shibsp/util/TemplateParameters.h
 include/shibsp/version.h
-lib/libshibsp.so.6.0.4
+lib/libshibsp.so.6.0.5
 lib/libshibsp.so.6
 lib/libshibsp.so
 lib/shibboleth/adfs.so
@@ -146,7 +146,7 @@ lib/shibboleth/plugins-lite.so
 lib/shibboleth/plugins.so
 %%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so
 %%WITH_APACHE_24%%lib/shibboleth/mod_shib_24.so
-lib/libshibsp-lite.so.6.0.4
+lib/libshibsp-lite.so.6.0.5
 lib/libshibsp-lite.so.6
 lib/libshibsp-lite.so
 sbin/shibd
@@ -170,7 +170,6 @@ share/doc/shibboleth/OPENSSL.LICENSE
 share/doc/shibboleth/README.txt
 share/doc/shibboleth/RELEASE.txt
 share/doc/shibboleth/main.css
-@dir share/doc/shibboleth/api
 @dir share/doc/shibboleth
 @dir lib/shibboleth
 @dir share/xml/shibboleth