-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [18 June 2013]

An updated version of the Shibboleth Service Provider software
is now available which includes an updated version of a dependency
that corrects a security issue.

Platforms on which xml-security-c is an OS-supplied component,
such as Debian Linux, will need to ensure their vendor has supplied
an updated package to correct the issue.


Shibboleth SP heap overflow processing InclusiveNamespace PrefixList
====================================================================
The Apache Santuario XML Security for C++ library contained a heap
overflow in the processing of XML content related to the
verification of signed XML such as SAML assertions. This could in
the worst case lead to the possibility for a remote, unauthenticated
attacker to cause arbitrary code execution within the shibd process.

The SP software is not the source of the vulnerability, and the
fix required is contained solely in the xml-security-c library.
However, packaging and binary compatibility considerations typically
mean that older versions cannot always be fixed without upgrading
(unless built by hand).

The version of xml-security-c containing the fix is V1.7.1.

That vulnerability has been published as CVE-2013-2156.

Recommendations
===============

Ensure that V1.7.1 or later of the xml-security-c library is used.

For Windows installations, V2.5.2 of the Shibboleth SP is now
available and contains updates to several libraries, including this
fix. All V2.5.x installations should be upgradeable to this release.

Older Windows versions have been unsupported since late 2012 and are
not upgradeable without removing them, and installing V2.5.2.

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix. If your system already
includes V1.7.0 of the xml-security-c library, then you MAY address
the issue by updating only that package. Shibboleth and OpenSAML
packages built against older versions, such as V1.6.x, will not
be binary-compatible with the newer version.

Sites that have deployed by building their own copy of xml-security-c
should ensure that they upgrade to V1.7.1 of that package, or patch
older versions as desired.

Sites that rely on an OS-supplied version of xml-security-c will need
to contact their OS vendor for a fixed version, or manually build a
new or patched version.

Credits
=======

Thanks to James Forshaw of Context Information Security for reporting
the issue to the Apache Santuario project.


URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20130618.txt

URL for the vulnerability:
http://santuario.apache.org/secadv.data/CVE-2013-2156.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBCgAGBQJRv9B5AAoJEDeLhFQCJ3linf8QAKmeLXkyNmtDImj4syoVLAuW
HKKxBVvULWA9qwnDDihhLckKLcH9hVNGJRzdi9Ou3ZscSIpLcwPtCzADqk8K4bqL
BiDmgjeaod7yQnJjQPfFgiECdPkUjhCM45l14z9gDkUXiu/JoKh+znOa2uliBwEu
DAG3t23CJ4xRMS8Z6ojDBM3giKY1tx2KpctNAxayS6QBZmR1sXvRzygi2yrQTKJZ
zLgtxRihDSpmhbaqDBzOgeU6cTB/1/3RwcKB7/yONwhzrAsOuHPs+j1G4bjhAgmu
+6kk+L3I9Tdr1HF0/68XhLwGnBSSfB9KOearsUwDNm1OG9E5FTOv9axDR86CjZjS
1mpZzjafyhnuPgf0YA8dOpYvHHahUZQsDJDU/BB6/34mAuVPy5M9Gcq4wSm+yqKY
/XTt5WiPTEs6CPon4oOsB/Hxc4Kjj6HEaQPHMTL6Pj9zhhmtl3MrlmvvfKu8/FZ0
dvM3yLA3JBWkcNitwX1OyYVQL4lbGUFToX35tZcAtuMtNCz3MaF2mIW5Wf7r+cJ0
eD7twyMqaoVimp2kUJ6EsHiBLTwjfRXiCNAQLAfbY0/1vZvGnszrUgGaQF/ASISy
MzteVOyd+GZD72n67v8ilB1/gKa/EGyl0HJUu8P6uxI4v7MvLrtywC2h3ZrDO8yj
Zw2ZgJaebfqZbXI57vBg
=TVRM
-----END PGP SIGNATURE-----