CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017]

Bug #1732606 reported by Guy Halse
274
This bug affects 6 people
Affects Status Importance Assigned to Milestone
opensaml2 (Ubuntu)
Medium
Unassigned
Trusty
Medium
Unassigned
Xenial
Medium
Unassigned
shibboleth-sp2 (Debian)
Fix Released
Unknown
shibboleth-sp2 (Ubuntu)
Medium
Unassigned
Trusty
Medium
Unassigned
Xenial
Medium
Unassigned

Bug Description

The developers of the Shibboleth SP have released a security advisory that affects all current versions of shibboleth-sp prior to V2.6.1. This includes the versions currently available for all releases of Ubuntu.

The full text of the advisory is available at https://shibboleth.net/community/advisories/secadv_20171115.txt

The vulnerability allows a remote attacker to bypass security checks on dynamically loaded metadata, a scenario that's commonly used in federated environments, and thus a likely use-case for this package. It is likely that a significant proportion of users of this package will be affected.

From the advisory: "There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of this feature until the upgrade is done."

CVE References

Revision history for this message
Guy Halse (ghalse) wrote :

The advisory is already public, so there's no benefit in keeping this bug report private.

information type: Private Security → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in opensaml2 (Ubuntu):
status: New → Incomplete
Changed in shibboleth-sp2 (Ubuntu):
status: New → Incomplete
Revision history for this message
Guy Halse (ghalse) wrote : Re: Shibboleth Service Provider Security Advisory [15 November 2017]

The patch proposed by the Shibboleth developers is simple enough and would appear to apply to earlier versions. Indeed, the bug has already been patched in Debian stretch (2.6.0+dfsg1-4+deb9u1) and jessie (2.5.3+dfsg-2+deb8u1) which appear to be the original packages from which these derive. The Debian bug report is at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881857

Having spent most of my career working with FreeBSD (which has a completely different package model), I'm not confident in my understanding of the relationship between Debian and Ubuntu or of my ability to adequately deal with repackaging this.

summary: - Shibboleth Service Provider Security Advisory [15 November 2017]
+ CVE-2017-16852 Shibboleth Service Provider Security Advisory [15
+ November 2017]
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shibboleth-sp2 - 2.6.0+dfsg1-4+deb9u1build0.17.04.1

---------------
shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1build0.17.04.1) zesty-security; urgency=medium

  * fake sync from Debian (LP: #1732606)

shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1) stretch-security; urgency=high

  * [bf25c5f] New patch: Security fix from V2.6.1 (SSPCPP-763)
    Thanks to Scott Cantor

 -- Steve Beattie <email address hidden> Wed, 22 Nov 2017 17:29:28 -0800

Changed in shibboleth-sp2 (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shibboleth-sp2 - 2.6.0+dfsg1-4+deb9u1build0.17.10.1

---------------
shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1build0.17.10.1) artful-security; urgency=medium

  * fake sync from Debian (LP: #1732606)

shibboleth-sp2 (2.6.0+dfsg1-4+deb9u1) stretch-security; urgency=high

  * [bf25c5f] New patch: Security fix from V2.6.1 (SSPCPP-763)
    Thanks to Scott Cantor

 -- Steve Beattie <email address hidden> Wed, 22 Nov 2017 17:35:11 -0800

Changed in shibboleth-sp2 (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

opensaml2 has been fixed in all releases (see https://launchpad.net/ubuntu/+source/opensaml2) except for the devel release (bionic), which will be addresses when the debian autosync pulls 2.6.1-1 from debian.

shibboleth-sp2 still needs to be fixed in trusty and xenial, if someone wants to step up to prepare the fixes for that, as well as for bionic, which will again be addressed when the autosync process pulls 2.6.1+dfsg1-1 from debian.

Changed in shibboleth-sp2 (Ubuntu Trusty):
status: New → Triaged
Changed in shibboleth-sp2 (Ubuntu Xenial):
status: New → Triaged
Changed in opensaml2 (Ubuntu Trusty):
status: New → Fix Released
Changed in opensaml2 (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Mathew Hodson (mhodson) wrote :

Was fixed in Bionic
---

opensaml2 (2.6.1-1) unstable; urgency=high

  * [0c08870] New upstream release (2.6.1)
    Security fix for CVE-2017-16853:
    Rod Widdowson of Steading System Software LLP discovered a coding error in
    the OpenSAML library, causing the DynamicMetadataProvider class to fail
    configuring itself with the filters provided and omitting whatever checks
    they are intended to perform.
  * [0795c42] Refresh our patches
  * [1f742ec] Update Standards-Version to 4.1.1 (no changes needed)
  * [5bed74f] Bump XMLTooling dependency version to 1.6.
    This isn't strictly required, but the stack is always updated in
    lockstep, so why not follow the upstream spec file in this respect.

 -- Ferenc Wágner <email address hidden> Mon, 20 Nov 2017 10:46:24 +0100

Changed in opensaml2 (Ubuntu):
status: Incomplete → Fix Released
Mathew Hodson (mhodson)
Changed in opensaml2 (Ubuntu):
importance: Undecided → Medium
Changed in opensaml2 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in opensaml2 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in shibboleth-sp2 (Ubuntu):
importance: Undecided → Medium
Changed in shibboleth-sp2 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in shibboleth-sp2 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in shibboleth-sp2 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.