The Shibboleth has advised of a critical security issue involving the Shibboleth Service Provider. It has been determined that a crash can be triggered within the Shibboleth SP when it is provided a malformed XML declaration. A crash prevents your users from accessing protected resources until the daemon is restarted.

This issue impacts all 2.x and 3.x versions of the Shibboleth SP. Following the end of life of Shibboleth V2, only the 3.x Shibboleth SP release is being patched against this issue.

Recommendations

Linux: 

• 2.x SP releases: Undertake a migration to the latest 3.x release
• 3.x SP releases: Ensure that V3.0.4 or later of the XMLTooling library is installed, generally via a package update (yum, apt etc.)

Windows: 

• 2.x SP releases: Undertake a migration to the latest 3.x release
• 3.x SP releases: Update to the latest 3.x release.

To view the official Security Advisory, go to: https://shibboleth.net/community/advisories/secadv_20190311.txt