OpenSSL heartbleed bug / Shibboleth implications
Leif Johansson
leifj at sunet.se
Tue Apr 8 05:34:32 EDT 2014
On 2014-04-08 11:06, Peter Schober wrote:
> * Cantor, Scott <cantor.2 at osu.edu> [2014-04-08 05:49]:
>> I am working to prepare a patch for this (I had no advance warning)
>> and it will be done as soon as I can produce it. It will *only*
>> apply to the supported SP version, which is 2.5.3. Anything older
>> than 2.5.0 didn't include an affected OpenSSL version, but any 2.5.x
>> version will need to be updated to 2.5.3 and then patched.
>>
>> Any other SP version is still vulnerable if used with OpenSSL 1.0.1,
>> but I don't control the process of obtaining an update, so that will
>> depend on your OS or local build.
>
> Does that really affect the SP's private key? I would have expected
> the priveledge seperation via shibd to prevent such problems?
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPArchitecture
Yes I think that is correct.
>
> And if anyone still needs reasons not to re-use TLS/SSL keys for SAML
> usage, it seems here's +1.
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list