Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87ljk51m2q.fsf@mid.deneb.enyo.de>
Date: Wed, 23 Sep 2009 19:46:05 +0000
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Three Shibboleth issues

1)

| The Shibboleth software includes code to encode and decode URL
| information, and has been shown to crash on certain malformed
| encoded URLs due to a buffer overrun.

(Also potential pre-auth code execution.)

<http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>


2)

NUL injection in certificate names:

<http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>


3)

| The Shibboleth software supports the use of SAML metadata to
| identify authentication and encryption keys by means of the
| <KeyDescriptor> element. In previous versions, the software
| was improperly ignoring the "use" attribute and treating all
| elements as valid for both signing/TLS and encryption.

<http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>

Isolated patches are available here:

<http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2009-September/001213.html>

Be careful when applying them---one hunk touches an inline function in
a header-only C++ class with virtual functions (see the mailing list
discussion).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.