Shibboleth Service Provider Security Advisory [3 August 2018]

Peter Schober peter.schober at
Fri Aug 3 08:50:33 EDT 2018

* Cantor, Scott <cantor.2 at> [2018-08-03 14:19]:
> On 8/3/18, 8:13 AM, "users on behalf of Peter Schober" <users-bounces at on behalf of peter.schober at> wrote:
> > So this is not just about metadata (as I initially thought) and could
> > also be triggered by unsolicited responses, for example?
> So far *only*, unless you mean the signature block in metadata.

OK, and no, I was initially thinking of ordinary embedded keys.

> The code paths used are different depending on whether the library
> is verifying a signature or decrypting something, vs. processing
> "data" such as a KeyDescriptor, and so far only the former path is
> known to have an issue that got fixed. But that's "worse" of course
> since signature checks are by definition happening over untrusted
> data anbyody could feed in.

Right, thanks for clarifying.

Thanks for your efforts,

More information about the users mailing list