Is OpenSaml 4.2.0 invulnerable to XSW attack?
Ian Young
ian at iay.org.uk
Tue Jun 7 10:32:50 UTC 2022
> On 2022-06-07, at 11:29, Ian Young <ian at iay.org.uk> wrote:
>
>
>
>> On 2022-06-07, at 10:32, Dimino, Gerlando via users <users at shibboleth.net <mailto:users at shibboleth.net>> wrote:
>>
>> In the provided article they claim that OpenSaml is vulnerable to it and I know that OpenSaml 3.3.0 is vulnerable to it.
>>
>> Looking on the resolved and open issues I was not able to find any information regarding this.
>
> You say that you know OpenSAML 3.3.0 is vulnerable to this, but I'd be interested to know why you think that is the case.
>
> The paper dates to work done in 2011, and the Shibboleth advisory was later that year referencing Shibboleth IdP *2*.3.2. You're not finding that in the V3 documentation because it was well before that, unless I'm confused.
>
> -- Ian
Here's the (archived) advisories page for the V2 products:
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2582773796/SecurityAdvisories <https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2582773796/SecurityAdvisories>
-- Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220607/d32fe762/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220607/d32fe762/attachment.p7s>
More information about the users
mailing list