*** This bug is a security vulnerability *** Public security bug reported:
Upstream advisory: https://shibboleth.net/community/advisories/secadv_20210426.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [26 April 2021] An updated version of the Service Provider software is now available which corrects a denial of service vulnerability. Session recovery feature contains a null pointer deference ====================================================================== The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems *not* using the feature if a specially crafted cookie is supplied. This manifests as a crash in the shibd daemon/service process. Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker. Versions without this feature (prior to V3.0) are not vulnerable to this particular issue. Recommendations =============== Update to V3.2.2 or later of the Service Provider software, which is now available. In cases where this is not immediately possible, configuring a DataSealer component in shibboleth2.xml (even if used for nothing) will work around the vulnerability. For example: <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" /> This workaround is only possible after having updated the core configuration to the V3 XML namespace. Other Notes =========== The cpp-sp git commit containing the fix for this issue is 5a47c3b9378f4c49392dd4d15189b70956f9f2ec URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20210426.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmCGtDAACgkQN4uEVAIn eWIETw/+NlYyGaq1rjD0h37Yvdb5pwyaR5tsRBDx+xIC3O8Bg9Ku7ijaeyyFM75N iyNzPZNafHTP1j9smpjeRSVvfzZ2qNOhiU7XikhsSjjA1y0ZEY/uBaSJ0S4of79b z2avqzeEEIU1Ot2C0VFAxN8RFRKhmw/DJba1QiMulc0R3Hj2BOGjEmucSDNfXPIO AedwmUCNynDZZLragwvyjhKlcomwY7j/ODGzmJeVQ/r2hRnEDQuzXBpItjWhW0L/ o51dIuDTfVyRoD5NnPTLWVtZ2J4/lQGjVY7zHd6UA/FgugdmPqMycPFqAkpjWj/h 4R3DpeuwzZHoh6ty6QFtz8Rw/9wpu5khK5tHo7num+SJenOrb6L3iYr5Mtjirf/C iomS6xyy3XGnJ7d47BDR3ONJCo//XH8sKQx+ONkWe5MrB7DhlEY7rbYDXng/Qewr s2qnR3JcQWI4OW/Zu6xYycnsmhkqIiwSC364TL0TRYb7nRXloaRqG9F/nnLaaXHU oJn8AOanAdD9f/y1dAZ9JZkNIHNvpSCxoVHgRt3SJ0CGTClbkCRlEziLiHMw1+zY KGXv+YsxysAu0fRcM+uxi9tg0f6n2HxLvdxFh3/JHaueg+2IWQd/zRtBC7OFXdZm sPCJzAHytHyAqQUFDFNfSmRCTbVZne7Xjos/1w1OyKpa8xGrdsk= =+5e9 -----END PGP SIGNATURE----- ** Affects: shibboleth-sp (Ubuntu) Importance: Undecided Status: New ** Affects: shibboleth-sp (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #987608 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608 ** Also affects: shibboleth-sp (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608 Importance: Unknown Status: Unknown ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926250 Title: CVE-2021-31826: Session recovery feature contains a null pointer deference To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1926250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
