Version 2.2 and 1.3.2 of the Shibboleth Service Provider Released
In conjunction with the just-announceed security advisory, please be aware
that minor updates for both generations of Shibboleth SP software are now
available from the download site.
This release is 100% compatible with existing deployments, including
configuration files (for the respective versions), and can be installed on
top of the existing software, upgraded via RPM, etc.
As mentioned in the advisory, due to time constraints, and the fact that the
vulnerability affects only IIS (Windows) systems, the releases are currently
limited to source and Windows packaging. RPMs and other planned formats will
follow as time permits.
(Note that RPMs can be generated on supported platforms with the "rpmbuild
-ta tarball.tar.gz" command.)
Windows sites can (and if affected by the bug, must) upgrade using the
postinstall ZIP package (backup tree, stop services, unzip on top of
\opt\shibboleth-sp, start services), or by removing the previous package and
installing this one. Removing the old package will not destroy your
A new wiki topic has been created to describe this process in detail to
ensure the patch can be quickly applied: