Security Alerts - Shibboleth Service Provider Security Advisory [03 August 2018]

Security stuff

Shibboleth Service Provider Security Advisory [03 August 2018]

The AAF has received important security advice from the Shibboleth project, which we want to share with our subscribers.

SAML messages, assertions, and metadata all commonly make use of the XML Signature KeyInfo construct, which expresses information about keys and certificates used in signing or encrypting XML.

It has been determined that a crash can be triggered within the Shibboleth SP when it is provided malformed KeyInfo data. A crash prevents your users from accessing protected resources until the daemon is restarted.

This issue is present in 2.x and 3.x versions of the Shibboleth SP. Following the end of life of Shibboleth V2, only the 3.x Shibboleth SP release is being patched against this issue.

1. Read the security advisory for more information on how this issue can impact production environments.
2. Plan upgrades based on the operating system and deployed Shibboleth SP version:



  • 2.x SP releases: Undertake a migration to the latest 3.x release
  • 3.x SP releases: Ensure that V2.0.1 or later of the xml-security-c library is installed, generally via a package update (yum, apt etc.)


  • 2.x SP releases: Undertake a migration to the latest 3.x release
  • 3.x SP releases: Update to the latest 3.x release.

Please contact support@aaf.edu.au should you need any assistance.

View the official security advisory 

Thank you to the Shibboleth project for the research and code patches which underpin this advisory.

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list