FreeBSD : shibboleth-sp -- DoS vulnerability (b202e4ce-3114-11e5-aa32-0026551a22dc)
Medium Nessus Plugin ID 84995
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionShibboleth consortium reports :
Shibboleth SP software crashes on well-formed but invalid XML.
The Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service.
You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. The easiest way to do so is to update the whole chain including shibboleth-2.5.5 an opensaml2.5.5.
SolutionUpdate the affected packages.