*** This bug is a security vulnerability *** Public security bug reported:
The developers of the Shibboleth SP have released a security advisory that affects all current versions of shibboleth-sp prior to V2.6.1. This includes the versions currently available for all releases of Ubuntu. The full text of the advisory is available at https://shibboleth.net/community/advisories/secadv_20171115.txt The vulnerability allows a remote attacker to bypass security checks on dynamically loaded metadata, a scenario that's commonly used in federated environments, and thus a likely use-case for this package. It is likely that a significant proportion of users of this package will be affected. >From the advisory: "There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of this feature until the upgrade is done." ** Affects: opensaml2 (Ubuntu) Importance: Undecided Status: New ** Affects: shibboleth-sp2 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732606 Title: Shibboleth Service Provider Security Advisory [15 November 2017] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml2/+bug/1732606/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs