InCommon Library Services

[Tim Mori <>]

Tod,

What OS are you running on? I recently upgraded our entire shib/ezproxy infrastructure on Red Hat 6 under VMWare and I'm not having any problems. This is both IdP 2.3.0 and EZProxy 5.3.

Tim

On Thu, Jun 16, 2011 at 3:45 PM, Tod Olson <> wrote:

InCommon-Library,

Our IdM folks have contacted me with an issue they are having with EZproxy and the most recent Shibboleth, and I thought the InC-Library community might be interested.

Here's the issue:

"""
The current version of the Shibboleth IdP which we are running (2.2.1) is vulnerable to a cross-site-scripting attack.  The Shibboleth community has therefore released Shibboleth 2.3.0 which fixes the problem.  The shib folks have also stated that they will not backport a fix to the 2.1.x series IdP.  In attempting to upgrade our IdP I found in testing that EZ Proxy broke.  I spent awhile poking at it including attempting to upgrade EZ Proxy to the latest version in test & still couldn't get it working.  So, I contacted OCLC Support.  They replied (attached) that it's a known issue, they're working on it, but no ETA (which in my experience generally also means low priority).  They also mentioned that they only support the vulnerable series of Shibboleth.  So, we here in IT Services were wondering if you would perhaps have better leverage in getting out of OCLC an ETA as well as raising the priority of them coming up with a fix for EZ Proxy?
"""

So we have a security issue that the Shib upgrade will fix, but EZproxy breaks.  Since EZproxy is a recommended approach, was wondering whether others in InC-Library might have run into this problem?

-Tod

Tod Olson <>
Systems Librarian
University of Chicago Library

--
Timothy S. Mori
Systems Librarian, Enterprise Operations
IT Department
North Carolina State University Libraries
Campus Box 7111
Raleigh, NC 27695-7111
919.515.6182 (phone)