Vulnerability Check

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability Check

Murugan H

 We are using opensaml 2.6.1 and xmltooling 1.4.1 java libraries with Shibboleth as the service providers. As we can see in the article that only xmltooling C++ library is impacted and we are not finding any references to Java libraries. Can you please confirm if the 2 libraries we are using are susceptible for vulnerability.

https://shibboleth.net/community/advisories/secadv_20180227.txt

Regards
Murugan

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Vulnerability Check

Cantor, Scott E.
>  We are using opensaml 2.6.1 and xmltooling 1.4.1 java libraries with
> Shibboleth as the service providers. As we can see in the article that only
> xmltooling C++ library is impacted and we are not finding any references to
> Java libraries. Can you please confirm if the 2 libraries we are using are
> susceptible for vulnerability.

If you were using Shibboleth as the SP, you wouldn't be using those libraries, as we have no SP in Java. Regardless, those libraries have been end of life for years and are entirely unsupported.

If you want an answer for V3, see [1], and the note added to [2].

I have, finally, removed OpenSAML from the web site's list of "products" and we will take further steps in the future to formally document that anyone using it separately from Shibboleth is doing so against our advice and at their own risk. The code is insufficiently documented to be safe for anyone else's use.

-- Scott

[1] https://issues.shibboleth.net/jira/browse/OSJ-232
[2] https://wiki.shibboleth.net/confluence/display/OS30

--
To unsubscribe from this list send an email to [hidden email]