Shibboleth Identity Provider Security Advisory [4 October 2017]
takeshi at nii.ac.jp
Thu Oct 5 06:24:39 EDT 2017
> And that will be the official position of the project to the extent that we will stop supporting it in 4.0 to whatever extent possible.
Same will apply to metadata download URL?
On 2017/10/05 0:51, Cantor, Scott wrote:
> On 10/4/17, 11:44 AM, "users on behalf of Doan, Tommy" <users-bounces at shibboleth.net on behalf of tdoan at smu.edu> wrote:
>> Does the vulnerability not apply to LDAP authN configuration but only to the attribute resolver?
> That is correct though I would say without any equivocation that using the JVM's trust store is always the wrong decision and should never be done anywhere for any reason. And that will be the official position of the project to the extent that we will stop supporting it in 4.0 to whatever extent possible.
> -- Scott
More information about the users