Detections
Analytics

FreeBSD : xml-security-c -- crashes on malformed KeyInfo content (5786185a-9a43-11e8-b34b-6cc21735f730)

high Nessus Plugin ID 111583

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The shibboleth project reports :

SAML messages, assertions, and metadata all commonly make use of the XML Signature KeyInfo construct, which expresses information about keys and certificates used in signing or encrypting XML.

The Apache Santuario XML Security for C++ library contained code paths at risk of dereferencing NULL pointers when processing various kinds of malformed KeyInfo hints typically found in signed or encrypted XML.
The usual effect is a crash, and in the case of the Shibboleth SP software, a crash in the shibd daemon, which prevents access to protected resources until the daemon is restarted.

Solution

Update the affected package.

See Also

https://shibboleth.net/community/advisories/secadv_20180803.txt

http://www.nessus.org/u?9df9fd4a

Plugin Details

Severity: High

ID: 111583

File Name: freebsd_pkg_5786185a9a4311e8b34b6cc21735f730.nasl

Version: 1.2

Type: local

Published: 8/8/2018

Updated: 11/10/2018

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:apache-xml-security-c, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 8/7/2018

Vulnerability Publication Date: 8/3/2018