OpenSSL heartbleed bug / Shibboleth implications
leifj at sunet.se
Tue Apr 8 05:34:32 EDT 2014
On 2014-04-08 11:06, Peter Schober wrote:
> * Cantor, Scott <cantor.2 at osu.edu> [2014-04-08 05:49]:
>> I am working to prepare a patch for this (I had no advance warning)
>> and it will be done as soon as I can produce it. It will *only*
>> apply to the supported SP version, which is 2.5.3. Anything older
>> than 2.5.0 didn't include an affected OpenSSL version, but any 2.5.x
>> version will need to be updated to 2.5.3 and then patched.
>> Any other SP version is still vulnerable if used with OpenSSL 1.0.1,
>> but I don't control the process of obtaining an update, so that will
>> depend on your OS or local build.
> Does that really affect the SP's private key? I would have expected
> the priveledge seperation via shibd to prevent such problems?
Yes I think that is correct.
> And if anyone still needs reasons not to re-use TLS/SSL keys for SAML
> usage, it seems here's +1.
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users