18:12 Palle Girgensohn (girgen) 

devel/xmltooling: update to 3.3.0

This is a library used by Shibboleth-SP and they are upgraded in sync.

Release notes:	https://shibboleth.atlassian.net/wiki/x/jYUaew

    c614747

15:09 Palle Girgensohn (girgen) 

devel/xmltooling: update to 3.2.4

An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a server-side request forgery (SSRF) vulnerability.

Security:	f7e9a1cc-0931-11ee-94b4-6cc21735f730

    37548fc

14:46 Palle Girgensohn (girgen) 

shibboleth-sp: Update to 3.4.1

A patch release of the Service Provider, V3.4.1, is now available. This
release fixes a couple of small bugs and adds a warning requested by one
of our member organizations in the absence of the redirectLimit setting,
which leads to SPs being abused as open redirectors.

Notably, this release includes an update to the xmltooling library that
hardens the code base against the sorts of attacks reported against the
IdP in the recent advisory. The SP is, as far as can be determined, not
impacted directly by that vulnerability, but this is a precautionary
change.

Release
notes:	https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335693/ReleaseNotes

    a9e7159

17:03 Palle Girgensohn (girgen) 

security/shibboleth-sp: update to 3.4.0

This is a minor update containing a new setting suggested by a
contributor (thus the unplanned minor version change) controlling
retries when TCP connections to shibd are used. The other changes are
minimal in nature.

Update the toolchain as well:

devel/xmltooling
textproc/xerces-c3

and bump PORTREVISION for security/opensaml due to dependencies'
updates.

Release notes:	https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes

    b4e7dc9

14:42 Palle Girgensohn (girgen) 

devel/xmltooling: update to 3.2.1

    8de0270

08:51 girgen 

Update xmltooling to 3.2.0

Bump dependant ports. xmltooling is only used as a dependency for
security/shibboleth-sp.

Release notes:	https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes

 

22:15 girgen 

The Shibboleth Project has released V3.1.0 of the Service Provider software.

Release notes:	https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes

 

17:02 girgen 

Update Shibboleth and its tool chain to 3.0.4

The security problem was patched alreadyin 3.0.3p1, but all users are
recommended to update to the latest version at next service window.

Security:	CVE-2019-9628
		https://shibboleth.net/community/advisories/secadv_20190311.txt
Release notes:	https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes

 

10:54 girgen 

Update to version 3.0.3

The update corrects a denial of service vulnerability.

Security:	4f8665d0-0465-11e9-b77a-6cc21735f730

 

13:24 girgen 

Update Shibboleth to 3.0.2

Also update the toolchain to latest versions. This includes a security fix for
apache-xml-security-c.

Releaseinfo:    https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes
Security:       5786185a-9a43-11e8-b34b-6cc21735f730
Security:       https://shibboleth.net/community/advisories/secadv_20180803.txt

 

15:37 girgen 

Shibboleth SP software vulnerable to additional data forgery flaws

The XML processing performed by the Service Provider software has been
found to be vulnerable to new flaws similar in nature to the one
addressed in an advisory last month.

Security:	22438240-1bd0-11e8-a2ec-6cc21735f730
URL:		https://shibboleth.net/community/advisories/secadv_20180227.txt

 

10:37 girgen 

Update to latest version

This is a fix for a regression in the latest security fix for
security/shibboleth2-sp.

Security:	b4b7ec7d-ca27-11e7-a12d-6cc21735f730

 

21:52 girgen 

Upgrade shibboleth-sp 2.6 and its tool chain

 

13:21 girgen 

Shibboleth SP software crashes on well-formed but invalid XML.

The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
The easiest way to do so is to update the whole chain including
shibboleth-2.5.5 an opensaml2.5.5.

URL:    	http://shibboleth.net/community/advisories/secadv_20150721.txt
Security:	CVE-2015-2684

 

16:17 tijl 

Add USES=libtool

 

11:09 bapt 

Cleanup plist

 

13:38 amdmi3 

- Use new LIB_DEPENDS syntax
- Remove redundant docs plist entries (handled by PORTDOCS=*)

Approved by:	portmgr blanket

 

17:29 girgen 

Update Shibboleth-sp and its tool chain to 2.5.1.

Note that from 2.5, shibd is run as the user shibd.  The port tries to fix the
key file ownership but if you have changed the file name of the key from the
default sp-key.pem, make sure you chown your key file(s) to user shibd.

Also, take maintainership of the entire tool chain (approved by all previous
maintainers).

Incorporates the ideas suggested by Craig Leres [177668], making sure that the
ssl key is not added to the package.

PR:	177668, 178694

 

02:57 swills 

- Update to latest versions

PR:             ports/157822
Submited by:    Palle Girgensohn <girgen@FreeBSD.org>
Approved by:    maintainer timeout

22:08 pgollucci 

- Fix pkg-plist in NOPORTDOCS case

Reported by:    QAT

01:24 pgollucci 

- Update to 2.3

PR:             ports/142324
Submitted by:   Steve Wills <steve@mouf.net>
Approved by:    Mohacsi Janos <janos.mohacsi@bsd.hu> (maintainer)

01:15 wxs 

- Update to 1.2

PR:             ports/136033
Submitted by:   Steve Wills <steve@mouf.net>
Approved by:    maintainer

15:15 miwi 

Shibboleth 2.x relies on OpenSAML 2, which in turn requires this
lower-level library that provides a higher level interface to XML
processing, particularly in light of signing and encryption.

WWW: https://spaces.internet2.edu/display/OpenSAML/XMLTooling-C

PR:             ports/127326
Submitted by:   Janos Mohacsi