Shibboleth Service Provider Security Advisory [17 August 2009]

An updated version of the Shibboleth 2.x Service Provider
software is now available which corrects a security issue.


Shibboleth SP software improperly evaluates KeyDescriptors
============================================================
The Shibboleth software supports the use of SAML metadata to
identify authentication and encryption keys by means of the
<KeyDescriptor> element. In previous versions, the software
was improperly ignoring the "use" attribute and treating all
elements as valid for both signing/TLS and encryption.

In many cases this is a valid assumption, but if specific
keypairs were meant to be used for only one of those purposes,
weaknesses in the intended security of the deployment could
arise.

Deployments are affected only when interacting with SAML 2.0-
capable Identity Providers and when their metadata identifies
keys for signing or encryption only, by means of the "use"
attribute.

This vulnerability does NOT extend to accepting keys that are
not present in the metadata.

Recommendations
---------------

Sites using 1.3.x are NOT affected by this issue.

Affected sites using 2.x should upgrade to the latest patched release,
2.2.1.

The vulnerability is actually found in the supporting libraries,
and if necessary can be corrected by upgrading only the xmltooling
and opensaml libraries to versions 1.2.1 and 2.2.1 respectively.


URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt