Bug 922199 (CVE-2015-1796) - VUL-0: CVE-2015-1796: OpenSAML Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
Summary: VUL-0: CVE-2015-1796: OpenSAML Java: PKIX Trust Engines Exhibit Critical Flaw...
Status: RESOLVED WONTFIX
Alias: CVE-2015-1796
Product: openSUSE.org
Classification: openSUSE
Component: 3rd party software (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Will Schneider
QA Contact: E-mail List
URL: http://shibboleth.net/community/advis...
Whiteboard: CVSSv2:NVD:CVE-2014-4651:7.5:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-13 08:46 UTC by Andreas Stieger
Modified: 2020-02-28 01:25 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-03-13 08:46:13 UTC 
Got this in our incoming queue:

A critical flaw has been discovered in the PKIX trust components that
allows an X509 credential to be trusted in the special case where no
trusted names are available for the given entityID.
See External References for the complete details.

Versions of OpenSAML Java < 2.6.5
Versions of the Identity Provider < 2.4.4

References:
http://shibboleth.net/community/advisories/secadv_20150225.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1196619
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1796
Comment 1 Swamp Workflow Management 2015-03-13 23:00:13 UTC 
bugbot adjusting priority
Comment 2 Will Schneider 2017-07-25 14:48:48 UTC 
This branch of the software is no longer being worked on.