shibboleth repository for SLES 12 SP5

Wed Feb 26 06:03:12 EST 2020

I’ve got an answer from SuSE - and it’s a good one for SLES users! 

Short version: They are backporting security patches for the shibboleth-sp package. Scotts advice 
"to rely on what comes with the OS“ seems to be the best option. I tried the 2.5.5 package on my dev server and it seems to work flawlessly.

Long version: Here are the answers to my questions from the SLES maintainer:

Q: Are you following all advisories of the shibboleth consortium (including xmltooling in particular, possibly xml-security and xerces, etc.) so that all dependencies stay on a secure patch level? -> is there a guarantee that we don’t have to worry if we use the shibboleth-sp package from SLES?
A: Yes, our security team is tracking all incoming advisories and we backport security patches for all affected versions in our products. We currently support the following packages that are connected to the shibboleth stack: log4shib, opensaml, shibboleth-sp, xml-security-c and xmltooling.

Q: Will the shibboleth-sp be maintained in future releases (like SLES 15 and ongoing)?
A: Yes, the current version of shibboleth-sp in SLES-15 is 2.6.1 and currently, we plan to support it in the upcoming SLES-15 service packs as well.

Q: What is the schedule for adapting the current 3.x branch of shibboleth?
A: Usually, we don't update packages to new versions in service packs until the update is really necessary. But as Shibboleth 2.x has reached its EOL and upstream is also no longer willing to support SLE, we may update shibboleth stack in the next SLES-15 service pack (SLES-15-SP3). But this possibility needs to be properly investigated and evaluated.

I think this concludes that discussion topic. Thanks to everybody for contributing to it.


More information about the users mailing list