rpm package
opensuse/sha1collisiondetection&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/sha1collisiondetection&distro=openSUSE%20Tumbleweed
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-19191 | — | < 3.2.3-1.2 | 3.2.3-1.2 | Nov 21, 2019 | Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow. | ||
| CVE-2017-16852 | Hig | 8.1 | < 3.2.3-1.2 | 3.2.3-1.2 | Nov 16, 2017 | shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcem | |
| CVE-2005-4900 | Med | 5.9 | < 1.0.3-4.12 | 1.0.3-4.12 | Oct 14, 2016 | SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of |
- CVE-2019-19191Nov 21, 2019affected < 3.2.3-1.2fixed 3.2.3-1.2
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
- affected < 3.2.3-1.2fixed 3.2.3-1.2
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcem
- affected < 1.0.3-4.12fixed 1.0.3-4.12
SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of