-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [21 July 2015] An updated version of the Shibboleth Project's OpenSAML software in C++ is available which corrects a security issue. This issue affects the operation of the Service Provider software. Shibboleth SP software crashes on well-formed but invalid XML ==================================================================== The Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service. Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5) are available that correct this bug. This vulnerability has been assigned CVE-2015-0851. Recommendations =============== Where possible, upgrade to V2.5.5 or later of the OpenSAML-C library and to V1.5.5 of the XMLTooling-C library. Correcting this bug requires that the OpenSAML library be rebuilt against the corrected version of the XMLTooling-C library, which is normally assured by obtaining updates to both. Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fix. The MacPorts have also been updated. Windows systems should upgrade to the latest Service Provider release (V2.5.5) which contains the appropriately updated libraries. [1] In the interim, a partial mitigation for this issue can be accomplished by enforcing schema validation of SAML metadata and/or SAML protocol messages in the SP configuration. This will prevent a crash, but may result in problems interoperating with metadata or partners that are currently functioning because of the more lax validation done by default. While these are bugs in those metadata sources or peer systems, they may nonetheless need to be accommodated. To enforce schema validation of metadata, you may add an XML attribute, validate="true", to any element used: To enforce schema validation of protocol messages, you may add the same XML attribute to the element in the security-policy.xml file: ... Credits ======= Thanks to the InCommon Shibboleth Training team for reporting this issue and assisting with diagnosis and verifying the fix. [1] http://shibboleth.net/downloads/service-provider/2.5.5/ URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20150721.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVtjrdAAoJEDeLhFQCJ3lizZ4QAJ6uiHbtBz2HIoj8osuxNDkE GgTRtsPIWyjdiqUWnpwdt4la7AzHVUmT1/SKjkvA61PzC3LtUV3cvnISCylF9sGr d1BNIzQYvSYRppTJfO5O7jDYWXUgOsIGOnb/pCugHA8Dy9svaz0w5nQ5S+F20Y++ ZfRSC2c5iJ+SBzqjpwbYmv0E0Wl9qD26z/54HUatWVAYyY3dAsTahhTZh3krwDyq lT9Csi62BFdl303DDoYF53yT++PZvhhwZL7vST6fPG+vhBx+YzcW++epjAktnWFR D/hDeAs5TbyNTKFb2M8AUK8gkyfFbfg7lCBsjNrr8f523W9rRnjVCvfmE2kYUNyD 6HaUEpsNKEpj7FFkPH0UsiDiCypwkOglyJ3BEVZ8a3swDljwRhZHkYc41uXo+5gY kysniAIfWCopd6nhZKCNh47Ph6aktXkL9et4bg1oOFdafGa8Rr9E0WCRaK36LoU5 XYs8cDeOUD0TNjRFefYwfpPorabVoHMy52/LYylgpD2lgz9uoUkdHHG3wmWzfzhs z3Ks1PB2SeewwziJ42HgaEz323fAVpQJ8ka5Zt0DpkTOtreX4eVQuE/iqRen9wHm G9IOaDT0ympZX4oIlzzG4Gu8rCrGaq41fTiBaw3+AkVVbgWMi1P6MX4bt+dxJ4dz mdlmNV5GGH//lwVo8aq8 =2sno -----END PGP SIGNATURE-----