AAF logo

Security Alerts - Shibboleth Service Provider Security Advisory [11 March 2019]

Security stuff

Shibboleth Service Provider Security Advisory [11 March 2019]

The Shibboleth has advised of a critical security issue involving the Shibboleth Service Provider. It has been determined that a crash can be triggered within the Shibboleth SP when it is provided a malformed XML declaration. A crash prevents your users from accessing protected resources until the daemon is restarted.


This issue impacts all 2.x and 3.x versions of the Shibboleth SP. Following the end of life of Shibboleth V2, only the 3.x Shibboleth SP release is being patched against this issue.


Recommendations

Linux: 

  • 2.x SP releases: Undertake a migration to the latest 3.x release
  • 3.x SP releases: Ensure that V3.0.4 or later of the XMLTooling library is installed, generally via a package update (yum, apt etc.)

Windows: 

  • 2.x SP releases: Undertake a migration to the latest 3.x release
  • 3.x SP releases: Update to the latest 3.x release.



To view the official Security Advisory, go to: https://shibboleth.net/community/advisories/secadv_20190311.txt  

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list