-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [11 March 2019] An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a denial of service vulnerability. This issue has been assigned CVE-2019-9628. XML parser class fails to trap exceptions on malformed XML declaration ====================================================================== Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. This issue is *not* specific to the V3 XMLTooling software and is believed to impact all versions prior to V3.0.4 Recommendations =============== Update to V3.0.4 or later of the XMLTooling library, which is now available. The updated version of the library has been included in a V3.0.4 patch release of the Service Provider software on Windows. Other Notes =========== The xmltooling git commit containing the fix for this issue is af27c422f551e16989ff6f1722d83614c8550eb5 and is in general terms applicable to V2 of the library. Credits ======= Ross Geerlings, University of Michigan URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20190311.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlyGW9wACgkQN4uEVAIn eWLkNg/9EdO+8G7P9dlkZ2MuU+xuVcOqdA3/6A558zfROGtNLqRr4hbHIFBojYY1 1kYFlRmKg1PYD4Ovk1/w7SrAR0STKkxfx/JX2O44pkwb5TnrhFFl6v8x7UZf9BoM ZMPpryaxpBxVL3dDVu2WIElq7LaaFXk+yP/ynVwQCN3mt6tcHNZ/zB1638+QGr1+ oO7LpyW+/s2UoqcQC6koox/KZ/UTlkgbi9tK8P+p1U1yVDS+72SxTFSmkVWlWlWm 5BO5OXpb+vkP82UMIgZP1vGUqtXiX8XbEUqY29ZkfA1926GOBDwGx7MZ6v7U360I ODio0F8Y9BBd+q8VoBvDenJqlNWedQotWPu3kD1eaXc1m6723ukKNEAu++Oxcon8 YonIRP1rbSytDS1RgPsklK4Lblr0ZhGZNvTpKgPxthccxAdewbk+8NeL8p6fGluj wpRoB0L9Ia92f4RNbQKVFH9JZKAbAvK43RQdNM7COf64n/yXB543WL2FIuJGcevE 6wUg760mr/OxjXb3EeBTYxeb2sRlxRahfItT+n2MKLGu63GpJdheHvYewRDrPMB7 tCaelK6+lVg6+cg91nkuLL4zHqANJLm8VD49rjjIoXHmaK5H3QZ8/7cAFjBCnFV4 ur3nN8DMJlW/N9YKtINpF15YWk/TSq8NPtCRpPhp9G7kN5Op7Gw= =GHcJ -----END PGP SIGNATURE-----