Upcoming Shibboleth IdP security patch

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Upcoming Shibboleth IdP security patch

Cantor, Scott E.
We will be releasing a security patch update for the IdP, V3.3.3, currently planned for next Wednesday, May 16th. The patch includes a Spring Framework bump to pick up a fix for [1] and a security fix for a CAS protocol support issue that we will disclose at that time.

The CAS issue is of critical severity. Only deployers using the CAS protocol support are impacted.

The Spring issue is potentially high in severity (and is public knowledge) but we don't have any reason to believe most, or possibly any, deployers are affected. But erring on the side of caution because we allow a fair amount of Spring MVC customization, we want to make the fixed version available.

-- Scott

[1] https://pivotal.io/security/cve-2018-1271
To unsubscribe from this list send an email to [hidden email]