group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1732606] Re: CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017]

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Fri, 03 May 2019 17:14:27 -0000
Reply-to: Bug 1732606 <1732606@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Was  fixed in Bionic
---

opensaml2 (2.6.1-1) unstable; urgency=high

  * [0c08870] New upstream release (2.6.1)
    Security fix for CVE-2017-16853:
    Rod Widdowson of Steading System Software LLP discovered a coding error in
    the OpenSAML library, causing the DynamicMetadataProvider class to fail
    configuring itself with the filters provided and omitting whatever checks
    they are intended to perform.
  * [0795c42] Refresh our patches
  * [1f742ec] Update Standards-Version to 4.1.1 (no changes needed)
  * [5bed74f] Bump XMLTooling dependency version to 1.6.
    This isn't strictly required, but the stack is always updated in
    lockstep, so why not follow the upstream spec file in this respect.

 -- Ferenc Wágner <wferi@xxxxxxxxxx>  Mon, 20 Nov 2017 10:46:24 +0100

** Changed in: opensaml2 (Ubuntu)
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1732606

Title:
  CVE-2017-16852 Shibboleth Service Provider Security Advisory [15
  November 2017]

Status in opensaml2 package in Ubuntu:
  Fix Released
Status in shibboleth-sp2 package in Ubuntu:
  Fix Released
Status in opensaml2 source package in Trusty:
  Fix Released
Status in shibboleth-sp2 source package in Trusty:
  Triaged
Status in opensaml2 source package in Xenial:
  Fix Released
Status in shibboleth-sp2 source package in Xenial:
  Triaged

Bug description:
  The developers of the Shibboleth SP have released a security advisory
  that affects all current versions of shibboleth-sp prior to V2.6.1.
  This includes the versions currently available for all releases of
  Ubuntu.

  The full text of the advisory is available at
  https://shibboleth.net/community/advisories/secadv_20171115.txt

  The vulnerability allows a remote attacker to bypass security checks
  on dynamically loaded metadata, a scenario that's commonly used in
  federated environments, and thus a likely use-case for this package.
  It is likely that a significant proportion of users of this package
  will be affected.

  From the advisory: "There are no known mitigations to prevent this
  attack apart from applying this update. Deployers should take
  immediate steps, and may wish to disable the use of this feature until
  the upgrade is done."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensaml2/+bug/1732606/+subscriptions