SRU: Shibboleth SPv3 for bionic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
log4shib (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
opensaml (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
Cosmic |
Won't Fix
|
Undecided
|
Unassigned | ||
shibboleth-resolver (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
shibboleth-sp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
Cosmic |
Won't Fix
|
Undecided
|
Unassigned | ||
xml-security-c (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
xmltooling (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Bionic released with version 2 of the Shibboleth Service Provider (and its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2 isn't compatible with OpenSSL 1.1, only 1.0 (and earlier), and was therefore shipped compiled against 1.0. This created a mix of OpenSSL and libcurl versions between the Apache module that the Shibboleth SP provides (mod_shib) and other modules, thus rendering mod_shib uninstallable alongside other modules (that depend on libcurl4) because of that conflict. Not being able to use mod_shib and mod_php with php-curl -- for example -- together greatly reduces the usefulness of the Shibboleth SPv2 in bionic, see LP#1776489. Version 3 of the Shibboleth SP is compatible with OpenSSL 1.1 and having it available for bionic would allow users to install it together with other Apache modules.
Moreover, the SPv2 suffers from a few security issues (LP#1636590) which have since been fixed upstream and v2 is no longer supported upstream (EOL, LP#1812401).
I propose to update the following source packages in bionic:
- shibboleth-sp [not in Bionic] to 3.0.4 (sync request for disco LP#1822055)
- opensaml [not in Bionic] to 3.0.1 (sync request for disco LP#1823325)
- xmltooling from 1.6.4-1ubuntu2.1 [Cosmic 3.0.2-1ubuntu1.1] to 3.0.4
- xml-security-c from 1.7.3-4ubuntu0.1 [Cosmic 2.0.1-1] to 2.0.2
- log4shib from 1.0.9-3 to 2.0.0
- shibboleth-resolver from 1.0.0-1build4 to 3.0.0
[Test Case]
# apt install apache2 libapache2-
[...]
# apt install libapache2-mod-php php-curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php-curl : Depends: php7.2-curl but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
# apt install php7.2-curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php7.2-curl : Depends: libcurl4 (>= 7.44.0) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
# apt install libcurl4
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libcurl3-gnutls libfcgi-bin libfcgi0ldbl liblog4shib1v5 libltdl7 libmemcached11 libodbc1 libssl1.0.0 libxerces-c3.2 libxml-
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
libapache2-
The following NEW packages will be installed:
libcurl4
0 upgraded, 1 newly installed, 7 to remove and 0 not upgraded.
Need to get 214 kB of archives.
After this operation, 18.7 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
[Regression Potential]
A new version can, of course, bring new bugs and security vulnerabilities. Catching up to SPv3 would at least give us an upstream-supported version. Shibboleth SP 3.0.4 and its dependencies are, as of this writing, all in Debian testing without any major bug.
tags: | added: bionic |
description: | updated |
description: | updated |
description: | updated |
Changed in xml-security-c (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in xml-security-c (Ubuntu Cosmic): | |
status: | New → Fix Released |
Changed in xml-security-c (Ubuntu): | |
status: | New → Fix Released |
Changed in shibboleth-resolver (Ubuntu): | |
status: | New → Fix Released |
Changed in log4shib (Ubuntu): | |
status: | New → Fix Released |
Changed in xmltooling (Ubuntu): | |
status: | New → Fix Released |
Changed in xmltooling (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in xmltooling (Ubuntu Cosmic): | |
status: | New → Fix Released |
Changed in opensaml2 (Ubuntu): | |
status: | New → Invalid |
no longer affects: | shibboleth-sp (Ubuntu) |
no longer affects: | shibboleth-sp (Ubuntu Bionic) |
no longer affects: | shibboleth-sp (Ubuntu Cosmic) |
no longer affects: | opensaml (Ubuntu Cosmic) |
no longer affects: | opensaml (Ubuntu Bionic) |
no longer affects: | opensaml (Ubuntu) |
Changed in shibboleth-sp (Ubuntu): | |
status: | New → Invalid |
Changed in opensaml (Ubuntu): | |
status: | New → Invalid |
affects: | shibboleth-sp2 (Ubuntu) → ruby-omniauth-shibboleth (Ubuntu) |
no longer affects: | shibboleth-sp (Ubuntu) |
affects: | ruby-omniauth-shibboleth (Ubuntu) → shibboleth-sp (Ubuntu) |
Changed in shibboleth-sp (Ubuntu): | |
status: | Confirmed → Fix Released |
no longer affects: | opensaml (Ubuntu) |
affects: | opensaml2 (Ubuntu) → opensaml (Ubuntu) |
Changed in opensaml (Ubuntu): | |
status: | Invalid → Fix Released |
Changed in opensaml (Ubuntu Bionic): | |
status: | Invalid → Won't Fix |
Changed in opensaml (Ubuntu Cosmic): | |
status: | Invalid → Won't Fix |
Changed in shibboleth-sp (Ubuntu Bionic): | |
status: | Invalid → Won't Fix |
Changed in shibboleth-sp (Ubuntu Cosmic): | |
status: | Invalid → Won't Fix |
Package log4shib 2.0.0.-2 from disco builds without changes on bionic, tested with `backportpackage --destination= bionic --source=disco --build --builder= cowbuilder --key=0x6965D45 3D81531AD log4shib`.