CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017]

The advisory is already public, so there's no benefit in keeping this bug report private.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The patch proposed by the Shibboleth developers is simple enough and would appear to apply to earlier versions. Indeed, the bug has already been patched in Debian stretch (2.6.0+dfsg1-4+deb9u1) and jessie (2.5.3+dfsg-2+deb8u1) which appear to be the original packages from which these derive. The Debian bug report is at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881857

Having spent most of my career working with FreeBSD (which has a completely different package model), I'm not confident in my understanding of the relationship between Debian and Ubuntu or of my ability to adequately deal with repackaging this.

This bug was fixed in the package shibboleth-sp2 - 2.6.0+dfsg1-4+deb9u1build0.17.04.1

---------------
shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1build0.17.04.1) zesty-security; urgency=medium

  * fake sync from Debian (LP: #1732606)

shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1) stretch-security; urgency=high

  * [bf25c5f] New patch: Security fix from V2.6.1 (SSPCPP-763)
    Thanks to Scott Cantor

 -- Steve Beattie <email address hidden> Wed, 22 Nov 2017 17:29:28 -0800

This bug was fixed in the package shibboleth-sp2 - 2.6.0+dfsg1-4+deb9u1build0.17.10.1

---------------
shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1build0.17.10.1) artful-security; urgency=medium

  * fake sync from Debian (LP: #1732606)

shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1) stretch-security; urgency=high

  * [bf25c5f] New patch: Security fix from V2.6.1 (SSPCPP-763)
    Thanks to Scott Cantor

 -- Steve Beattie <email address hidden> Wed, 22 Nov 2017 17:35:11 -0800

opensaml2 has been fixed in all releases (see https://launchpad.net/ubuntu/+source/opensaml2) except for the devel release (bionic), which will be addresses when the debian autosync pulls 2.6.1-1 from debian.

shibboleth-sp2 still needs to be fixed in trusty and xenial, if someone wants to step up to prepare the fixes for that, as well as for bionic, which will again be addressed when the autosync process pulls 2.6.1+dfsg1-1 from debian.

Was fixed in Bionic
---

opensaml2 (2.6.1-1) unstable; urgency=high

  * [0c08870] New upstream release (2.6.1)
    Security fix for CVE-2017-16853:
    Rod Widdowson of Steading System Software LLP discovered a coding error in
    the OpenSAML library, causing the DynamicMetadataProvider class to fail
    configuring itself with the filters provided and omitting whatever checks
    they are intended to perform.
  * [0795c42] Refresh our patches
  * [1f742ec] Update Standards-Version to 4.1.1 (no changes needed)
  * [5bed74f] Bump XMLTooling dependency version to 1.6.
    This isn't strictly required, but the stack is always updated in
    lockstep, so why not follow the upstream spec file in this respect.

 -- Ferenc Wágner <email address hidden> Mon, 20 Nov 2017 10:46:24 +0100