-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [10 January 2013] An updated version of the Shibboleth Project's OpenSAML software in C++ is available which corrects a security issue. Shibboleth SP software crashes on malformed IdP History Cookie ==================================================================== The Service Provider software supports an option, disabled by default, for tracking the history of Identity Providers used by a client. A particular malformation of this cookie can cause the shibd process to crash while appending the latest value to it, resulting in a denial of service. An updated version of OpenSAML-C, V2.5.2, is available that corrects this bug. The bug is not present in versions of the library prior to V2.5.0, so older versions of the Service Provider, such as V2.4.3, are unlikely to be affected unless rebuilt against newer libraries. Note that while the Embedded Discovery Service product we offer also uses a cookie compatible with this feature, the use of a cookie by it is not dependent on this feature within the SP, and does not cause this problem to manifest, nor is its cookie functionality limited by disabling (or more likely leaving disabled) this feature within the SP software. Recommendations =============== Where possible, upgrade to V2.5.2 or later of the OpenSAML-C library. In the interim, you can verify that the "idpHistory" option (found in the shibboleth2.xml element) is unset or false, which disables the use of this cookie. This is the default setting, so unless you enabled it, or applied configuration examples that do so, your system should not be affected. Linux installations relying on official RPM packages can upgrade to the latest opensaml package version to obtain the fix. An updated Macport is also available. Windows systems can apply a patch package [1] containing the fixed library. New installs of the SP software (V2.5.1 or newer) will contain the fix (you can verify after installation that your logs indicate the expected OpenSAML version is used). Credits ======= Thanks to Dan McLaughlin for reporting this issue and assisting with diagnosis and verifying the fix. [1] http://shibboleth.net/downloads/service-provider/2.5.1/patches/ URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20130110.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) iQIcBAEBCgAGBQJQ7urCAAoJEDeLhFQCJ3lipTAQAK46dbPYUX6arDsZZrcWRdcB R3UHYdTInS2oC3Gz/Pc878io8bz13GLF3JXF5xTPu0kBAhW2uyKf0ZOuGMWHKMqr AgGuGVw7HFhP5XgE27ON9UDGlG2iM1HCtz3pCZGp+BixKsbOAhY02EyrRYlROAO9 f6pCW9Ry6p+ORwNK8RgMdy/Wc+PTm9mvu0+IyJnXeXBLJ9xhI9VCFxsJAykvBq51 xqfkbttv3RM+Di+Cu30jRB36aDdJecJBFi3/p5ckVwT88CxsRcZ01E0s9XqWSkI/ P8QhnhMZpRTnHvRx0yduFWwnNGMtK1vGB6pjOn3w1O9LwhaLLC3W3eOQXt7I6RJq raRtqx7kMjrzxusKUkMIGzL7Ws7TsBArp6BLoDA3lFBPWx+gvZ21SnIJ+AzotX6p NRg30gCy9nwutgSC+XJ/5E6rGfRGxGP7yJuNj4sbL3/lKNp4vXQAdZ07kQra1Zvw BkDn4NA8cOYRKnyt1vXcpEEyl/31FaM1KvvxpX77nQWm9EMlcfzwg+uNE+Pfnn1C 4tmLwPfs12/IocYYNtMjdpPrBjpYy3cb6gI5KSF31jhJLcL+mX7Ivv1VInPGSRTk N67zffnyOE42pRqPMcDCpla4/jXa2dmE/9rki+D2GROD3/B7U2OQvrwLOERa4gqg nnzJxT31tH95pfgeOnmM =30vC -----END PGP SIGNATURE-----