Shibboleth Identity Provider Security Advisory [26 March 2015]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Identity Provider Security Advisory [26 March 2015]

Cantor, Scott E.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Identity Provider Security Advisory [26 March 2015]

Interrupted HTTP Connections Lead to Denial of Service
=======================================================================

An error handling flaw in V3.0.0 and V3.1.0 of the Shibboleth Identity
Provider software can lead to heap exhaustion and CPU consumption when
connections to the server are interrupted unexpectedly.

This flaw is present in the V3 software only, and does not affect the
older V2 Identity Provider software.

Affected Versions
=================

Versions of the Identity Provider >= 3.0.0 and < 3.1.1


Recommendations
===============

IdP users: Upgrade to IdP V3.1.1 or greater.


References
==========

URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20150326.txt


Credits
=======
Walter Hoehn, University of Memphis and Shibboleth Project Emeritus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVFA5RAAoJEDeLhFQCJ3liMakQALOxLqqoREihwktbYT2rUKkt
6HdpmfhdhVaTpMv4JzvewhSvqdWp1zV5s26lmb6myGvNExovc5dRtohdf/E0ZI8N
b46e8oHJtx9bGBqsdh/yeJuBhpuzUxQSyQRTJcfAaZojHQtMVUDHLlWpTpdIsd2w
LyN3naF0l3P0qrRtSbO02RYyg3W/fOzDKz27YDIGD7rz7Jo95KyVoBQJDdBruqso
laxvUx1c1fQVbEtMF6owGFXyDY1LkGVMM3NKo6MR4k+0tPB/mI5+gVxzVdsGVAhs
oJlrL5HbzQ+lIwf48RPIIl7PnZqzhHqc6sLRrUFHmhR3ygRq8BzEo/taM6hn2V0m
p95RLdaxnlO4LH/Moj9g0H/uQK88fsit9L60usboHjmeupJCAOcqa3jttKFX2Ezo
ee8fo6hDP743hi0z0ik4Mr7dFoo1ShRO+vBLAszV5ngz3s9hQurdM2qdQ2ZEAHhZ
fCYJD5IluPxfDDvttqIKrlrxG2JDFvNHytwNPy8RLwUg0O/Ir3fmzkeyWwKdT6Nl
SyNgnuXDUiH1qRCHSPMYkR/E6vEsIKXH3D5mdniornYGAXXhAhhG38AfsaOBocDk
q0I59fYCVXiQnmRMudImYAod1khsZP1T5x4tGjwCZp6fNwRjU2X5G8MeIXoNDiba
mk/l+0PyD9rMLhPJj8Ob
=bXTf
-----END PGP SIGNATURE-----


--
To unsubscribe from this list send an email to [hidden email]