Shibboleth Identity Provider Security Advisory [4 October 2017]
Cantor, Scott
cantor.2 at osu.edu
Wed Oct 4 11:51:59 EDT 2017
On 10/4/17, 11:44 AM, "users on behalf of Doan, Tommy" <users-bounces at shibboleth.net on behalf of tdoan at smu.edu> wrote:
> Does the vulnerability not apply to LDAP authN configuration but only to the attribute resolver?
That is correct though I would say without any equivocation that using the JVM's trust store is always the wrong decision and should never be done anywhere for any reason. And that will be the official position of the project to the extent that we will stop supporting it in 4.0 to whatever extent possible.
-- Scott
More information about the users
mailing list