InCommon Library Services

[Tod Olson <>]

InCommon-Library,

Our IdM folks have contacted me with an issue they are having with EZproxy 
and the most recent Shibboleth, and I thought the InC-Library community might 
be interested.

Here's the issue:

"""
The current version of the Shibboleth IdP which we are running (2.2.1) is 
vulnerable to a cross-site-scripting attack.  The Shibboleth community has 
therefore released Shibboleth 2.3.0 which fixes the problem.  The shib folks 
have also stated that they will not backport a fix to the 2.1.x series IdP.  
In attempting to upgrade our IdP I found in testing that EZ Proxy broke.  I 
spent awhile poking at it including attempting to upgrade EZ Proxy to the 
latest version in test & still couldn't get it working.  So, I contacted OCLC 
Support.  They replied (attached) that it's a known issue, they're working on 
it, but no ETA (which in my experience generally also means low priority).  
They also mentioned that they only support the vulnerable series of 
Shibboleth.  So, we here in IT Services were wondering if you would perhaps 
have better leverage in getting out of OCLC an ETA as well as raising the 
priority of them coming up with a fix for EZ Proxy?
"""

So we have a security issue that the Shib upgrade will fix, but EZproxy 
breaks.  Since EZproxy is a recommended approach, was wondering whether 
others in InC-Library might have run into this problem?

-Tod

Tod Olson 
<>
Systems Librarian
University of Chicago Library