-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [6 July 2011] An updated version of the Shibboleth Service Provider software is now available which includes an updated version of a dependency that corrects a security issue. Platforms on which xml-security-c is an OS-supplied component, such as Debian Linux, will need to ensure their vendor has supplied an updated package to correct the issue. Shibboleth SP software crashes on large signing/encryption keys =============================================================== The Apache Santuario XML Security for C++ library contained a number of buffer overflows when signing or verifying XML with larger than typical assymmetric keys (RSA generally). The usual effect of the overflow is a crash, and in the case of the SP software, a crash in the shibd daemon. The SP itself is not the source of the vulnerability, and the fix required is solely to the xml-security-c library. However, packaging and binary compatibility considerations typically mean that older versions cannot always be fixed without upgrading (unless built by hand). The version of xml-security-c containing the fix is V1.6.1. That vulnerability has been published as CVE-2011-2516. Recommendations - - --------------- Ensure that V1.6.1 or later of the xml-security-c library is used. In the interim, a possibly workaround for some sites is to disable the "PKIX" TrustEngine plugin. By default, the SP enables both the "ExplicitKey" and "PKIX" TrustEngine plugins. Most, but not all, sites are relying on keys found in metadata and do not need the "PKIX" option enabled. Because metadata is trusted, it can be presumed not to contain keys that would trigger the bug. For Windows installations, V2.4.3 of the Shibboleth SP is now available and contains updates to several libraries, including this fix. For those with older versions of V2.4.x installed, the postinstall[1][2] packages can be used to update the SP as a whole, or if desired just the xsec_1_6.dll library in the "lib" folder of your installation. Older Windows installations (prior to V2.4) will NOT be binary compatible with the xsec_1_6.dll library and should be upgraded to V2.4.3. Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fix. If your system already includes V1.6.0 of the xml-security-c library, then you MAY address the issue by updating only that package. Shibboleth and OpenSAML packages built against older versions, such as V1.5.x, will not be compatible with the newer version. Sites that have deployed by building their own copy of xml-security-c should ensure that they upgrade to V1.6.1 of that package, or patch older versions as desired. Sites that rely on an OS-supplied version of xml-security-c will need to contact their OS vendor for a fixed version, or manually build a new or patched version. Credits - -------- Thanks to Paulo Zanoni for reporting the issue to the Apache Santuario project. [1] http://shibboleth.net/downloads/service-provider/latest/win32/ [2] http://shibboleth.net/downloads/service-provider/latest/win64/ URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20110706.txt URL for the vulnerability: http://santuario.apache.org/secadv/CVE-2011-2516.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iEYEAREKAAYFAk4VDRkACgkQpXtW80eQXRVdBgCgpc5+s+fcC/hhWCNiv3WLgvGg sv4AnidwZf4wzaFDxjfzQjOC8W81i9Vr =Ha5R -----END PGP SIGNATURE-----