| Name | CVE-2013-6440 |
| Description | The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| opensaml2 (PTS) | jessie, jessie (lts) | 2.5.3-2+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 2.6.0-4+deb9u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| opensaml2 | source | (unstable) | (not affected) |
- opensaml2 <not-affected> (Debian provides the C-based Shibboleth implementation)
http://shibboleth.net/community/advisories/secadv_20131213.txt
http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml