Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page provides access to the complete history of Security Advisories released for the Shibboleth V3 Service Provider and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast.

You can determine the exact version you're running based on the shibd.log during startup.

Note

If you would like to report an issue you believe is security related,

...

please drop an e-mail to security@shibboleth

...

.net

...

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

...

The oldest SP 3 version unaffected by fixable vulnerabilities is 3.0.3 used with xml-security-c >= 2.0.22.2.

VersionEOLUser Data ExposureResource ExposureSession HijackingDenial of ServiceRemote ExploitAdvisories
All
XX
XX

2018-08-03, 2018-01-23, 2014-04-09, 2011-10-24

3.2.2






3.2.1Apr 2021


X
2021-04-26
3.2.0Mar 2020


X
2020-03-17
3.1.0Dec 2020


X
2020-08-31
3.0.4Apr 2020


X

3.0.3Mar 2019


X
2019-03-11
3.0.2Dec 2018


X
2018-12-19a
3.0.1Aug 2018XX
XX
3.0.0Jul 2018


X

Advisory List

DateTitleAffectsSeverityCVE
2021-04-26

Session recovery feature contains a null pointer deference

SP < 3.2.2moderate
2020-03-17

Template generation allows external parameters to override placeholders

SP < 3.2.1moderate
2020-08-31IIS module fails to trap exceptions raised by network socket failuresSP for Windows IIS7+ module < 3.1.0.2moderate
2019-03-11

XML parser class fails to trap exceptions on malformed XML declaration

SP w/ libxmltooling < 3.0.4moderateCVE-2019-9628
2018-12-19

Shibboleth SP software crashes on malformed date/time content

SP < 3.0.3moderate
2018-08-03

Shibboleth SP software crashes on malformed KeyInfo content

SP w/ libxml-security-c < 2.0.2high
2018-01-23Implications of ROBOT TLS vulnerabilityAllhigh
2014-04-09OpenSSL "Heartbleed" vulnerability

SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f

very high

CVE-2014-0160

2011-10-24Use of XML Encryption Vulnerable to Chosen Ciphertext AttacksSP and IdP, all versionsmoderate