Bug#793855: DoS, Shibboleth SP software crashes on well-formed but invalid XML (CVE-2015-0851)

Luca Bruno lucab at debian.org
Tue Jul 28 07:53:30 UTC 2015

Source: xmltooling
Version: 1.3.3-2
Severity: serious
Tags: security patch upstream

Shibboleth Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.

This vulnerability has been assigned CVE-2015-0851.
Please mention the CVE ID in changelog when fixing this issue.

 * Bulletin
 * Fixing commit (xmltooling)

Cheers, Luca

More information about the Pkg-shibboleth-devel mailing list