Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] InCommon metadata issue

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] InCommon metadata issue


Chronological Thread 
  • From: Thomas Scavo <>
  • To: "" <>
  • Subject: [InCommon NOTICE] InCommon metadata issue
  • Date: Wed, 19 Apr 2017 20:29:48 +0000
  • Accept-language: en-US
  • Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=none action=none header.from=internet2.edu;
  • Ironport-phdr: 9a23:RHctZhcA3bLhWaj9/8PUvFnNlGMj4u6mDksu8pMizoh2WeGdxcW+Yh7h7PlgxGXEQZ/co6odzbGH7ea7ASdZvcbJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBS7oR/fu8UKjoduN6k8xxjUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU09nzchM5tg6JBuB+vpwJxzZPIYI+bN/R+f7/Sc9wVSmdaQsZRTjBNDp+gY4cTEuYMO/tToYnnp1sJqBuzHReiBOPoyj9NnHD2xrAx3fk9Hg7cwgwgGM8FvXPIrNXvL6cdTfq6zLfPzTjYbvNW3yv955bSchAnv/6MQax8fdDPxkYyCgPIl1OdopHrMTOS0+QCqWmb7+x4WOKujW4otwZxoj2qxscrjInFnIUVykrL9Sh/3Y07JsW4RVZmbdK4H5ZcrS6XOolsTs4tXW1kojs2xqAJtJKjYSQHxoorywTBZ/GIc4WE+BHuWPyMLTp5hH9ofq+0iQyo/ki60OL8U9G50FZUoSpBldnBrmgD2gDU5MSbRPZx51qs1jSR2wzK7eFLOl47mbDcK5483r4/jZ0TsVnFHiDrgkn2lLWWdkI4+ue29+vnfrTmppiaN4NujQH+L7gumsi4AeQ/MQgCRXSU+eO51LH7/E35RqtFjuEun6XErJzXKt4Xq6G7DgNP3Ysv9QyzAyq73NkXhXUHKUhKeBODj4jnIVHOJ/X4AO+jg1S2izdk2+rJPqPmApjWL3jDlqvhcqhn605a1gUz0c5T64hKBb4cPfL/QlXxu8DADh8lLwy0xP7qCNR71owCXmKPB6qZMKTUsVOS4eIvOeaMaJYUuDb7N/cp/vnujWcimVMEe6mp2ocXaHG2HvRnP0qWe2bsgtYGEWcMpQozV+jqiFyZUT5PfHa+Qbgw5jA9CIK6E4jDXIatj6Kd3CulBJFZeH1JCk3fWUvvIs+FXfxJbzqJZ8lmjj0KVLOoV44m0wqGtQnxzL9iKeyS/TcX/9q31d5+ourLjlQ08iB1AcWW2n2MSGdvtmIOTDgz2ad550tnxQHQ/7J/hqlkFdtW7ugBaQwzK5mUm/BgENv7RAXpf9GVRUygT8n8Rzw9U4RikJc1f09hFoD63Vj41C2wDupNmg==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Due to a server misconfiguration on md.incommon.org, any InCommon SAML
deployment that requested *compressed* metadata between April 7 and April 19
erroneously received the content of an aggregate produced on April 6th. As of
11:10 am ET today (April 19), the issue is fully resolved and the server is
serving the correct versions of all aggregates in both compressed and
uncompressed format (except the Fallback Aggregate, which is currently served
uncompressed only). If your deployment has not refreshed metadata since 11:10
am ET today, please do so NOW.

DETAILS. Over the last two weeks, InCommon Operations enabled HTTP
Compression on md.incommon.org as follows:

Friday, April 7: Preview Aggregate
Tuesday, April 11: IdP-only Aggregate
Wednesday, April 19: Main Aggregate

Consequently, as a result of the misconfiguration mentioned earlier, any
deployment that requested a *compressed* Preview Aggregate between April 7
and April 19 erroneously received the content of the Preview Aggregate
produced on April 6th. Similarly for the IdP-only Aggregate. Most
importantly, any deployment that requested a *compressed* Main Aggregate
between 5:30am and 11:10am ET today (April 19) received the content of the
Main Aggregate produced on April 6th. Since the Main Aggregate has the
largest deployment footprint in the federation, the issue was noticed not
long after the 5:30am cutover. A site administrator reported the problem at
10:20am ET. InCommon Operations resolved the issue at 11:10am ET.

We know that Shibboleth supports compression by default, so any Shibboleth
deployment that refreshed metadata between 5:30am and 11:10am ET today was
affected by this incident. Other deployments may have been affected as well.
Please note: ONLY REQUESTS FOR COMPRESSED METADATA WERE AFFECTED. Requests
for uncompressed metadata were NOT affected at any time.

I do apologize for any inconvenience this may have caused. If you have
questions or concerns, please contact us at


-----
Tom Scavo
For InCommon Operations

  • [InCommon NOTICE] InCommon metadata issue, Thomas Scavo, 04/19/2017

Archive powered by MHonArc 2.6.19.

Top of Page