Shibboleth Service Provider Security Advisory [19 December 2018]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Service Provider Security Advisory [19 December 2018]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [19 December 2018]

An updated version of the Shibboleth Service Provider software
is now available which corrects a denial of service vulnerability.

Shibboleth SP software crashes on malformed date/time content
===============================================================
SAML messages, assertions, and metadata all commonly contain
date/time information in a standard XML format.

Invalid formatted data in such fields cause an exception of a type
that was not handled properly in the V3 software and causes a crash
(usually to the shibd daemon process, but possibly to Apache in rare
cases). Note that the crash occurs prior to evaluation of a message's
authenticity, so can be exploited by an untrusted attacker.

The problem is believed to be specific to the V3 software and
would not cause a crash in the older, now unsupported, V2 software.

All SP versions between 3.0.0 and 3.0.2 are affected.

Recommendations
===============
Update to V3.0.3 or later of the Service Provider software, which is
now available.

Credits
=======
Paolo Smiraglia, Antonio Giovanni Schiavone, Michele D'Amico,
and Umberto Rosini, of Agenzia per l'Italia Digitale (AgID)

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20181219a.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlwacuYACgkQN4uEVAIn
eWK4Hw//Q1DtVKj462eOTLoT8cgfX6wBjct4C4Ib7swvgT3NyLM4UqekJtEwGtLq
udSgytx6CYZweM6E4QTf7hPfg2W0Hr/dCA7OTegn6wCXweVrFIEDPOf3TetD3tI9
EY85e45UoVuEbQobpEgKN97LpZ7QMy7EVyWTolaNXKp9XpeRYuo/0Qn1xhq3nYI9
/2GN/RCYOqyUYvggkJgbHIzNtvqG45fxhA1lZqVoW66btVbUw0t7nxJ81lydv6YF
ElD7bneIYARIKJGo9kB06/G2yfZzhEdXDSvxHDPk2Pq3UJdIYJQSZC47lnXQ/hmu
tz6abnFsQY8bUgtM1nOMBE5pcP4+qR3PTbz1PYzEEf3qKnLW64iN+KQuRL03rsPs
QWrOiXpcIdWnq0Kapro0vipXjG/9xdNyxUiiTMtZ7Gr+I9taMWoequUaMucQIzUq
jb0aOgTJPbCyuKkvZQ8yeOIzJMyeNYpFRcr0DWZ80jlZcL0d68/WYN/usdt/qbAo
979yshRax2SS7PuB7zHUB0TPPcgeH1qtkorFqVK7rLJhE7AdcqIWbRVCy8DQIImc
WVePvyjhbRnRSH3wpmFZhBUR+epDEBtE+0LluboDjqmw4ievIImIdIbIqAJyw8/Y
Eio/ZtPJNQ9KTMPwJHouH5El+qUePw8amOQ/tARF8K0Qtga6+08=
=1/jx
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]