13:21 girgen 

Shibboleth SP software crashes on well-formed but invalid XML.

The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later.
The easiest way to do so is to update the whole chain including
shibboleth-2.5.5 an opensaml2.5.5.

URL:    	http://shibboleth.net/community/advisories/secadv_20150721.txt
Security:	CVE-2015-2684

 

01:35 girgen 

Update Shibboleth to 2.5.3, a bug fix release.

Change the cache directory back to the built-in default, /var/cache, and
force mode 755 on that directory. (see r258664 in head why this is a good
thing).

Add odbc support as suggested in ports/189410.

 

14:49 girgen 

Move /var/cache/shibboleth to /var/db/shibboleth, since /var/cache has mode 750
and cannot be read by the www user. According to hier(7):
   db/   misc. automatically generated system-specific database files
so /var/db seems like the best choice

 

17:29 girgen 

Update Shibboleth-sp and its tool chain to 2.5.1.

Note that from 2.5, shibd is run as the user shibd.  The port tries to fix the
key file ownership but if you have changed the file name of the key from the
default sp-key.pem, make sure you chown your key file(s) to user shibd.

Also, take maintainership of the entire tool chain (approved by all previous
maintainers).

Incorporates the ideas suggested by Craig Leres [177668], making sure that the
ssl key is not added to the package.

PR:	177668, 178694