Shibboleth Service Provider Security Advisory [3 August 2018]
Peter Schober
peter.schober at univie.ac.at
Fri Aug 3 08:50:33 EDT 2018
* Cantor, Scott <cantor.2 at osu.edu> [2018-08-03 14:19]:
> On 8/3/18, 8:13 AM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
>
> > So this is not just about metadata (as I initially thought) and could
> > also be triggered by unsolicited responses, for example?
>
> So far *only*, unless you mean the signature block in metadata.
OK, and no, I was initially thinking of ordinary embedded keys.
> The code paths used are different depending on whether the library
> is verifying a signature or decrypting something, vs. processing
> "data" such as a KeyDescriptor, and so far only the former path is
> known to have an issue that got fixed. But that's "worse" of course
> since signature checks are by definition happening over untrusted
> data anbyody could feed in.
Right, thanks for clarifying.
Thanks for your efforts,
-peter
More information about the users
mailing list