Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please review these release notes before upgrading your system. You should review all the versions subsequent to the one you're running prior to upgrade.

...

Also be aware of the following issues regarding container or Java compatibility:

Table of Contents

4.0.0 and Later

See ReleaseNotes for information on the new major branch of releases.

3.4.7.1 (July 22, 2020)

This is a service release of the Windows installation package in order to address a security issue in Jetty, which has been updated to version 9.4.30. It is unneeded by anyone maintaining their own Java container, which continues to be strongly recommended.

3.4.7 (July 1, 2020)

Jira
serverShibboleth JIRA
jqlQueryfilter=13574
counttrue
serverId180d847f-bce4-36b2-9964-771bff586829

This is a patch update containining a few bug fixes and an updated version of the Jackson JSON parser to address some security issues. While the IdP is not believed to be vulnerable to the issues, the update was done out of an abundance of caution.

3.4.6 (Oct 2, 2019)

Jira
serverShibboleth JIRA
jqlQueryfilter=13271
counttrue
serverId180d847f-bce4-36b2-9964-771bff586829

...

  • Anybody copying one of the impacted login flows for private use, either directly or via adaptation into a substantially similar flow.
    • This is something we expect somebody might have done but is explicitly not supported because doing so would also involve references to non-API classes that are subject to change at any time so is already known to be unsafe across upgrades.
  • Anybody inheriting from the ExternalAuthentication class to provide an alternate concrete implementation of that class for use in a custom login flow.
    • This would be necessary if one were to build an alternate version of an external login flow without using non-public classes. We consider it unlikely because of the first bullet: people are taking the easy way out and copying the flows without regard for the correctness of that approach.
  • Anybody directly instantiating/adding an instance of the ExternalAuthenticationContext class to the profile request context tree.
    • This is also not something we would expect anybody to have done unless they had also duplicated other implementation classes or were, again, using implementation classes directly in an unsupported manner, so it's more likely to be a consequence of one of the first two.

...