FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-19 18:22:07 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
b4b7ec7d-ca27-11e7-a12d-6cc21735f730	shibboleth2-sp -- "Dynamic" metadata provider plugin issue The Internet2 community reports: The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type "Dynamic" to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to load. All the plugin types rely on MetadataFilter plugins to perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments. Due to a coding error, the "Dynamic" plugin fails to configure itself with the filters provided to it and thus omits whatever checks they are intended to perform, which will typically leave deployments vulnerable to active attacks involving the substitution of metadata if the network path to the query service is compromised. Discovery 2017-11-15 Entry 2017-11-15 shibboleth2-sp < 2.6.1 http://shibboleth.internet2.edu/secadv/secadv_20171115.txt

VuXML ID

Description

b4b7ec7d-ca27-11e7-a12d-6cc21735f730

shibboleth2-sp -- "Dynamic" metadata provider plugin issue

The Internet2 community reports:

The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type "Dynamic" to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to load.
All the plugin types rely on MetadataFilter plugins to perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments.
Due to a coding error, the "Dynamic" plugin fails to configure itself with the filters provided to it and thus omits whatever checks they are intended to perform, which will typically leave deployments vulnerable to active attacks involving the substitution of metadata if the network path to the query service is compromised.

Discovery 2017-11-15
Entry 2017-11-15
shibboleth2-sp

< 2.6.1

http://shibboleth.internet2.edu/secadv/secadv_20171115.txt