-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [2 December 2013]

An updated version of the Curl HTTP client library is available
which corrects a TLS processing mistake introduced in older versions
of the library. Versions of Curl between 7.18.0 and 7.32.0 are affected
by this issue, corrected in 7.33.0.

Refer to the Recommendations section below for specific guidance on
how particular platforms are affected.

Curl library skips TLS server certificate name checking
=======================================================
A bug was introduced several years ago into Curl that caused the
library to, under specialized conditions, ignore the setting that
instructs it to enforce checking of the content of a server's TLS
certificate against the name of the server being contacted.
The Shibboleth SP operates in conditions that trigger this bug.

In most commonly deployed scenarios, this vulnerability does not
have major security implications for deployers. Shibboleth is usually
deployed by embedding specific public key certificates into SAML
metadata for the endpoints with which the SP will communicate with
an IdP. In this case, the name check is superfluous because the key
itself can't be faked.

In a small minority of scenarios, deployers may be relying on indirect
trust evaluation of a server's certificate by embedding the name of a
key into the metadata and specifying Certificate Authority roots of
trust in a Shibboleth-defined extension[1]. In rarer cases, a server
certificate may be part of a chain of trust used to verify remote
sources of metadata; this is not advisable, but is sometimes done in
the absence of a signature over the metadata.

In these rare cases, this issue becomes a critical vulnerablity. If
you are in doubt of your own deployment characteristics, you should
ask for help from the community.

The vulnerability in Curl has been published as CVE-2013-4545.

One additional note: another change made to Curl during the intervening
versions was to implement a more strict form of name checking in which
the presence of a subjectAltName extension in a certificate precludes
the use of the "CN" portion of the subject DN from the check. This can
cause issues with some certificates if the subjectAltName extension is
used to supplement rather than fully replace the use of the CN. The
certificates generated by the Shibboleth software do not have this
problem, but others may. This behavior change is intrinsic to Curl
and is not possible to undo.

Recommendations
===============
Ensure that V7.33.0 or later of the Curl library is used and make sure
server certificates used for TLS do not carry incomplete subjectAltName
extensions.

Where possible, avoid any use of the PKIX trust model at any level and
for any use. It's likely that this trust plugin will be turned off by
default in a future major upgrade because of issues like this one.

Platforms on which Curl is an OS-supplied component, such as most
versions of Linux, will need to ensure their vendor has supplied
an updated package to correct the issue, or (as in the case of Red
Hat 5) provide a version so old that it predates the bug's introduction.

On the Red Hat / CentOS 6 platforms, the Shibboleth Project provides our
own custom build of the libcurl shared library, and the RPM package for
this library has already been updated and published. The version supplied
with the OS is not usable with Shibboleth anyway.

For Windows installations, an updated installer[2] for V2.5.3 of the SP
software has been released that includes the fix.

Updating the SP to V2.5.3 in and of itself is not a fix for this issue.
The updated version has been expedited primarily to facilitate updates
of the libcurl version for Windows installations. Of course, this update
includes additional bug fixes that may be relevant to deployers and
you can review the list of fixes[3].

Credits
=======
Thanks to Scott Koranda of LIGO for reporting the issue to the project,
and thank you to Daniel Stenberg of the Curl project for providing
prompt feedback on the scope of the issue.


URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20131202.txt

URL for the vulnerability:
http://curl.haxx.se/docs/adv_20131115.html

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/PKIXTrustEngine
[2] http://shibboleth.net/downloads/service-provider/latest/
[3] https://wiki.shibboleth.net/confluence/display/DEV/SPRoadmap

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)

iQIcBAEBCgAGBQJSnLS4AAoJEDeLhFQCJ3li9fMP/j4No1DC4C7dxISUjzevMplD
HUbNVQ7N2Fvdnob4CnjrmeRTgMxC9qsfWujw1DWdY2jvxrtgCjH3VMxN3xF8XOkH
leTkY1DxPwV4yz1J/ADjG4LitS5amWLXQAlelFjf7/yooP4+Qpu6ncWqAlILC4Vf
qDGRryBv/nfrupIA6PXE7lxelCZa+9MeNEytyEn0AmoA1pD81NNOp8tjtrI7sZR0
AcGexKp7Bcb4Sqp69aWALl4zepY7ZR3WV6NN3FSezV5KNL1VRbaL2NEbx/Gdjd/M
VT9HkRokheTlsRzTmYL+N+WDclPjhdI7X1Cfu7u1Oy1omBXPjg87sKRgzjmmPlqY
BArTJ+Ei/hElnboFANqPGxzlHgIKkd8AVD2pwAau8CNsFKu0jAA8VHXGJ/aAGW20
Ok7C7g2aiKH9Fgt/Xlflc5R89utSgE+Gk/9b6h9q7R/ep9GMsSc1Pa4T4N9XP1mx
ZtzldUKtH0jE3QHcjrj+JahHH/h/bVjsO25SUDeyMOywllPaPIQoWqrwE6l+K/Fb
3PuX61nln9W0ejADAH69c1uAQlzbYKMhkLlsWJLvT5I4Z0+aokMIMirO/jUGhg4B
NCwrWobQjwfFMq2MrUPZFmZ8XeHJk6cr5jlinjDKO/0G9TFT1DOu7M+U9xvJVSKu
AdGSrPn2JVMH7ptmhVSd
=hqvM
-----END PGP SIGNATURE-----