Vulnerability report: authentication bypass?

Andrew Morgan morgan at
Fri Mar 2 11:43:05 EST 2018

On Fri, 2 Mar 2018, Zico wrote:

> Hi,
> Please pardon me if I missed any email thread on this issue... but .. it
> just got our attention.
> Do we need to patch our IdP for this?


See the thread on this mailing list with Subject "Shibboleth Service 
Provider Security Advisory [27 February 2018]".

The short answer is no.  There is nothing to patch in the IDP.  However, 
you should probably look into using encryption with all SPs to mitigate 
this vulnerability.


More information about the users mailing list