Suggestion for XmlTooling 1.4.1: Shibboleth Service Provider Security Advisory [2018-01-12]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Suggestion for XmlTooling 1.4.1: Shibboleth Service Provider Security Advisory [2018-01-12]

Santu Ghosh
Hi All

I have an java code base where I used xmltooling 1.4.1 jar to parse SAML response.

<groupId>org.opensaml</groupId>
<artifactId>xmltooling</artifactId>
<version>1.4.1</version>
<packaging>jar</packaging>


Now I have seen the announcement from the shibboleth forum regarding the security vulnerability of user data during xml processing.

Can anyone tell me that this vulnerability also exists in xmltooling-1.4.1 jar from java end.  If yes should I upgrade this jar..

Please help...

--
Snahasish


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Suggestion for XmlTooling 1.4.1: Shibboleth Service Provider Security Advisory [2018-01-12]

Cantor, Scott E.
 > Can anyone tell me that this vulnerability also exists in xmltooling-1.4.1 jar
> from java end.  If yes should I upgrade this jar..

The advisory is for C++, not Java, and you're already running on EOL Java code that we no longer maintain so you have bigger problems to deal with.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Suggestion for XmlTooling 1.4.1: Shibboleth Service Provider Security Advisory [2018-01-12]

Rod Widdowson
In reply to this post by Santu Ghosh
> <groupId>org.opensaml</groupId>
> <artifactId>xmltooling</artifactId>
> <version>1.4.1</version>
> <packaging>jar</packaging>

Well that jar is over 2 years old on an unmaintained (for more than 2 years) development branch and is therefore subject to multiple SecAdvs.  Several probably significantly more serious than this one

But one of them won't be the one you quote since it is for C++ and you are speaking Java.

> Please help...

Update to the latest OpenSAML.  But bear in mind that XMLTooling (C++) and OpenSAML (C++, Java) is maintained uniquely in support of Shibboleth.

R

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Suggestion for XmlTooling 1.4.1: Shibboleth Service Provider Security Advisory [2018-01-12]

Santu Ghosh
Thank you all for your response.

Can you please guide me to the next step to overcome this and make this code up-to-date.

Is there any document or link on how to upgrade this ?

Please help..



On Thu, Jan 18, 2018 at 8:11 PM, Rod Widdowson <[hidden email]> wrote:
> <groupId>org.opensaml</groupId>
> <artifactId>xmltooling</artifactId>
> <version>1.4.1</version>
> <packaging>jar</packaging>

Well that jar is over 2 years old on an unmaintained (for more than 2 years) development branch and is therefore subject to multiple SecAdvs.  Several probably significantly more serious than this one

But one of them won't be the one you quote since it is for C++ and you are speaking Java.

> Please help...

Update to the latest OpenSAML.  But bear in mind that XMLTooling (C++) and OpenSAML (C++, Java) is maintained uniquely in support of Shibboleth.

R

--
To unsubscribe from this list send an email to [hidden email]



--
Snahasish


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Suggestion for XmlTooling 1.4.1: Shibboleth Service Provider Security Advisory [2018-01-12]

Cantor, Scott E.
> Can you please guide me to the next step to overcome this and make this
> code up-to-date.

Stop implementing SAML yourself and use an existing implementation that does what you need. If you have a choice between accepting the need to stop doing it all yourself and using EOL code, that shouldn't be a hard decision to make.

> Is there any document or link on how to upgrade this ?

We do not have significant developer documentation for OpenSAML, it's user beware, and always has been. It's for our use, we simply happen to make it accessible as open source because the rest of Shibboleth is.

It was not my choice to describe it on a web site as a "product" we offer, and for that I can apologize, though again, not my decision.
 
-- Scott

--
To unsubscribe from this list send an email to [hidden email]