CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opensaml2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
shibboleth-sp2 (Debian) |
Fix Released
|
Unknown
|
|||
shibboleth-sp2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Triaged
|
Medium
|
Unassigned | ||
Xenial |
Triaged
|
Medium
|
Unassigned |
Bug Description
The developers of the Shibboleth SP have released a security advisory that affects all current versions of shibboleth-sp prior to V2.6.1. This includes the versions currently available for all releases of Ubuntu.
The full text of the advisory is available at https:/
The vulnerability allows a remote attacker to bypass security checks on dynamically loaded metadata, a scenario that's commonly used in federated environments, and thus a likely use-case for this package. It is likely that a significant proportion of users of this package will be affected.
From the advisory: "There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of this feature until the upgrade is done."
CVE References
Changed in opensaml2 (Ubuntu): | |
importance: | Undecided → Medium |
Changed in opensaml2 (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in opensaml2 (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in shibboleth-sp2 (Ubuntu): | |
importance: | Undecided → Medium |
Changed in shibboleth-sp2 (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in shibboleth-sp2 (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in shibboleth-sp2 (Debian): | |
status: | Unknown → Fix Released |
The advisory is already public, so there's no benefit in keeping this bug report private.