Re: Upcoming Shibboleth IdP security patch

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Upcoming Shibboleth IdP security patch

Simon Lundström-2
According to the vulnerability report it only affects Windows?

Does deployers who use something other than Windows need to patch?

BR,
- Simon

On Thu, 2018-05-10 at 20:34:04 +0000, Cantor, Scott wrote:

>We will be releasing a security patch update for the IdP, V3.3.3, currently planned for next Wednesday, May 16th. The patch includes a Spring Framework bump to pick up a fix for [1] and a security fix for a CAS protocol support issue that we will disclose at that time.
>
>The CAS issue is of critical severity. Only deployers using the CAS protocol support are impacted.
>
>The Spring issue is potentially high in severity (and is public knowledge) but we don't have any reason to believe most, or possibly any, deployers are affected. But erring on the side of caution because we allow a fair amount of Spring MVC customization, we want to make the fixed version available.
>
>-- Scott
>
>[1] https://pivotal.io/security/cve-2018-1271
>--
>To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upcoming Shibboleth IdP security patch

Peter Schober
* Simon Lundström <[hidden email]> [2018-05-11 08:49]:
> Does deployers who use something other than Windows need to patch?

Seems that's not the case:

"Note also that this attack does not apply to applications that:
  * Do not use Windows."

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upcoming Shibboleth IdP security patch

Paul B. Henson-2
In reply to this post by Simon Lundström-2
On Fri, May 11, 2018 at 08:48:37AM +0200, Simon Lundström wrote:
> According to the vulnerability report it only affects Windows?
>
> Does deployers who use something other than Windows need to patch?

There are two vulnerabilities:

* One in Spring, only pertinent to Windows
* One in the idp itself, only pertinent to people running CAS

So, if you neither run the idp under windows, nor use the idp CAS
support, I guess you don't need to worry about this one, at least not
critically.

> On Thu, 2018-05-10 at 20:34:04 +0000, Cantor, Scott wrote:
> >We will be releasing a security patch update for the IdP, V3.3.3,
> >currently planned for next Wednesday, May 16th. The patch includes a
> >Spring Framework bump to pick up a fix for [1] and a security fix for
> >a CAS protocol support issue that we will disclose at that time.
> >
> >The CAS issue is of critical severity. Only deployers using the CAS
> >protocol support are impacted.
> >
> >The Spring issue is potentially high in severity (and is public
> >knowledge) but we don't have any reason to believe most, or possibly
> >any, deployers are affected. But erring on the side of caution
> >because we allow a fair amount of Spring MVC customization, we want
> >to make the fixed version available.
> >
> >-- Scott

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upcoming Shibboleth IdP security patch

Bogar, Lisa

Does it affect the idp3-2.1 version using the using the CAS protocol support?


Thanks,

Lisa


Lisa L. Bogar

Server Systems Administrator

Montana State University – University Information Technology (UIT)

2327 University Way, Suite 224 | Montana State University

PO BOX 173245, Bozeman, MT 59715

Campus Address: CFT5, Suite 224

(406)994-7887




From: users <[hidden email]> on behalf of Paul B. Henson <[hidden email]>
Sent: Friday, May 11, 2018 6:59 PM
To: Shib Users
Subject: Re: Upcoming Shibboleth IdP security patch
 
On Fri, May 11, 2018 at 08:48:37AM +0200, Simon Lundström wrote:
> According to the vulnerability report it only affects Windows?
>
> Does deployers who use something other than Windows need to patch?

There are two vulnerabilities:

* One in Spring, only pertinent to Windows
* One in the idp itself, only pertinent to people running CAS

So, if you neither run the idp under windows, nor use the idp CAS
support, I guess you don't need to worry about this one, at least not
critically.

> On Thu, 2018-05-10 at 20:34:04 +0000, Cantor, Scott wrote:
> >We will be releasing a security patch update for the IdP, V3.3.3,
> >currently planned for next Wednesday, May 16th. The patch includes a
> >Spring Framework bump to pick up a fix for [1] and a security fix for
> >a CAS protocol support issue that we will disclose at that time.
> >
> >The CAS issue is of critical severity. Only deployers using the CAS
> >protocol support are impacted.
> >
> >The Spring issue is potentially high in severity (and is public
> >knowledge) but we don't have any reason to believe most, or possibly
> >any, deployers are affected. But erring on the side of caution
> >because we allow a fair amount of Spring MVC customization, we want
> >to make the fixed version available.
> >
> >-- Scott

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/

Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Upcoming Shibboleth IdP security patch

Marvin Addison
On Mon, May 14, 2018 at 8:37 AM Bogar, Lisa <[hidden email]> wrote:

Does it affect the idp3-2.1 version using the using the CAS protocol support?


Yes. It affects the CAS protocol support for all IdP 3.x versions.

M


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]