Detections
Analytics

FreeBSD : shibboleth-sp -- crashes on malformed date/time content (4f8665d0-0465-11e9-b77a-6cc21735f730)

high Nessus Plugin ID 119822

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The Shibboleth Consortium reports :

SAML messages, assertions, and metadata all commonly contain date/time information in a standard XML format.

Invalid formatted data in such fields cause an exception of a type that was not handled properly in the V3 software and causes a crash (usually to the shibd daemon process, but possibly to Apache in rare cases). Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker.

The problem is believed to be specific to the V3 software and would not cause a crash in the older, now unsupported, V2 software.

Solution

Update the affected package.

See Also

https://shibboleth.net/community/advisories/secadv_20181219a.txt

http://www.nessus.org/u?54ae2132

Plugin Details

Severity: High

ID: 119822

File Name: freebsd_pkg_4f8665d0046511e9b77a6cc21735f730.nasl

Version: 1.1

Type: local

Published: 12/21/2018

Updated: 12/21/2018

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:shibboleth-sp, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 12/20/2018

Vulnerability Publication Date: 12/19/2018