This page provides access to the complete history of Security Advisories released for the Shibboleth V3 Service Provider and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast.
You can determine the exact version you're running based on the shibd.log during startup.
If you would like to report an issue you believe is security related,
please drop an e-mail to security@shibboleth
As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time
The oldest SP 3 version unaffected by fixable vulnerabilities is 3.0.3 used with xml-security-c >= 22.214.171.124.
|Version||EOL||User Data Exposure||Resource Exposure||Session Hijacking||Denial of Service||Remote Exploit||Advisories|
2018-08-03, 2018-01-23, 2014-04-09, 2011-10-24
|2021-04-26||SP < 3.2.2||moderate|
|2020-03-17||SP < 3.2.1||moderate|
|2020-08-31||IIS module fails to trap exceptions raised by network socket failures||SP for Windows IIS7+ module < 126.96.36.199||moderate|
|2019-03-11||SP w/ libxmltooling < 3.0.4||moderate||CVE-2019-9628|
|2018-12-19||SP < 3.0.3||moderate|
|2018-08-03||SP w/ libxml-security-c < 2.0.2||high|
|2018-01-23||Implications of ROBOT TLS vulnerability||All||high|
|2014-04-09||OpenSSL "Heartbleed" vulnerability|
SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f
|2011-10-24||Use of XML Encryption Vulnerable to Chosen Ciphertext Attacks||SP and IdP, all versions||moderate|