Shibboleth Identity Provider 4.1.6 now available

Cantor, Scott cantor.2 at osu.edu
Thu Mar 31 18:42:32 UTC 2022


The Shibboleth Project has released V4.1.6 of the Identity Provider [1] to address this week's Spring vulnerability [2]. There are no other material changes since V4.1.5.

We do not have any specific knowledge that this vulnerability affects the IdP and a fair amount of insight that it may well not, but the Spring Project hasn't corroborated our research by clearly pointing to the feature we think triggers the bug, so we're erring on the cautious side and just assuming we're vulnerable and believe deployers should do so as well. I've updated the security page [3] to reflect that assumption.

V4.2.0 is imminent but is a minor upgrade without a definite release date so waiting for it is not likely the best course for most.

-- Scott

[1] http://shibboleth.net/downloads/identity-provider/latest/
[2] https://tanzu.vmware.com/security/cve-2022-22965
[3] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631889/SecurityAdvisories




More information about the announce mailing list