Shibboleth Service Provider Security Advisory [3 August 2018]

Cantor, Scott cantor.2 at
Fri Aug 3 08:18:51 EDT 2018

On 8/3/18, 8:13 AM, "users on behalf of Peter Schober" <users-bounces at on behalf of peter.schober at> wrote:

> So this is not just about metadata (as I initially thought) and could
> also be triggered by unsolicited responses, for example?

So far *only*, unless you mean the signature block in metadata. The code paths used are different depending on whether the library is verifying a signature or decrypting something, vs. processing "data" such as a KeyDescriptor, and so far only the former path is known to have an issue that got fixed. But that's "worse" of course since signature checks are by definition happening over untrusted data anbyody could feed in.

There's going to be much more testing and investigating since this is a concrete area of concern rather than a giant net of "check the code for bad stuff", more likely to be productive to spend the time finding more bugs. But my early testing hasn't found anything so far.

-- Scott

More information about the users mailing list