Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] Shibboleth Security Advisory

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] Shibboleth Security Advisory


Chronological Thread 
  • From: Dean Woodbeck <>
  • To: "" <>
  • Subject: [InCommon NOTICE] Shibboleth Security Advisory
  • Date: Wed, 17 Jan 2018 16:01:10 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:+ot0IRQprq9BkBwNDhz18Juystpsv+yvbD5Q0YIujvd0So/mwa6zbBKN2/xhgRfzUJnB7Loc0qyK6/mmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfa5+IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHJhMJtkKJVrhGvpx1jzIHbe4yaLuZyfqbHcN8GWWZMXMBcXDFBDIOmaIsPCvIMM+hGoIbnoVsFsBuxBQ6rBOzy0TBHmGP53a4n2OkmHwDG2wsgEM8Vv3vKsNr1N7wfUeGzzKnU0zrDdfVW1inh6ITWaBwuv+yDXa9pfMfX1EIhGQTFjlCKpozkOTOYzv8Ns2ia7+V7Tu2vjGonpB9tojiv3MssjJfGhp4NxlDe6yp23Zo1KsOiR05+eNKkCIVftyeGN4RoWcMiX2BouCA1yrEcpJG0Yi4Hw4kkyR7Hc/GLbpSE7x35WOueIzp0nnxodKylixqv/0WtxPXwWteo3FtJtCZIk9rBumoT2xHR8MSKSOVx80G80jiVzQ/T8PtLIUUsmKrbNZEhxrkwm4ILv0nfGSH6hFj6gLaLeEs85+Sk8uPnba74qZOGMI90lx3+Pb8pmsyiB+Q3LxICX3CB+eS7yL3s41H2QKlLjv0xlKnVqpfaJdkHpq69BA9V1YUj5wyjADeh1dQUhXgHLFRbdxKbl4XlJk3CLf/iAfqwgVmgijlmy+7cMrH8DJjAIGDPkLL7crZ8705cxhAzzdda559MBLABJ/XzVVLqu9PGEhA5MBe5w+fhCNVhyIweQ2SPDbGFMK/Mq1OH+P8gI/SUaI8PpDn9M+Ql5+LpjXIhmF8de7Wm3ZwSaHC9GfRmJV+VYX32gtcOCGsKvww+Q/DzhF2FST5TfG++X6Q75jEnCYKmA4bDSZy3j7yd3Se7GZtWZntdB1CIEHfobJmEW+wSZC6II89hlCAEWqa7S48nyx6uqBH2x6B5IeXJ5y1L/a7kgZJ04eaWkgkpsDpzE8WT0mqEU2BzmHggRjk926V6pko7zU2Mm+AsgvpTUNtL/LZPVRs7O5/XxvB7DNbpcgPHddCMTVGgBNK8DmdiYMg2xooibk97U+qliRzJ0iGpS+sKkLuHDpE/8Yrd2WT8PcBw1yyA2aU82Qp1CvBTPHGr0/YsvzPYAJTExh2U
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Dear InCommon Site Administrators,

 

We don’t normally forward or comment on advisories sent to the Shibboleth notification list. However, Scott Cantor, on behalf of the Shibboleth Consortium, has reported a situation that we feel warrants a message to all InCommon site admins.

 

Briefly, Scott reported a critical security issue with the Shibboleth Project’s XML Tooling library. Subsequently he discovered that the company that found the vulnerability has published the issue publicly with full disclosure on exactly how to exploit a vulnerable Shibboleth Service Provider. [1] 

 

This makes it a very serious issue for those affected. The URL to the original security alert, which includes information on how to determine if you are affected and, if so, how to fix your instance, is https://shibboleth.net/community/advisories/secadv_20180112.txt

 

In addition, those with TIER Docker containers in their existing environments should ensure they have the up-to-date version and patches.

 

Thank you,

InCommon Operations

 

 

[1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-013/-truncation-of-saml-attributes-in-shibboleth-2

 


  • [InCommon NOTICE] Shibboleth Security Advisory, Dean Woodbeck, 01/17/2018

Archive powered by MHonArc 2.6.19.

Top of Page