This page provides easier access to the complete history of Security Advisories released for the Shibboleth V2 software products and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast. Pages exist describing briefly how to check the IdP or SP version you have.
As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time
This page only covers advisories affecting the V2 products. Older advisories affecting only V1 software are not listed here, but you can find the complete set of advisories going back to the original software in this directory. All V1 software has been end-of-life for several years now and any such deployments should be treated as highly suspect.
Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.
The matrices below are oriented by minor version rather than by particular release versions. All the advisories impacting a particular minor version (often corrected by patch releases with the same minor version) are collected together. A particular minor version will typically be implicated by any advisories noted for it and for any newer minor versions above it in the tables. Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment.
Identity Provider Vulnerability Matrix
The oldest IdP version unaffected by fixable vulnerabilities is V2.3.6.
|Minor Version||EOL||User Data Exposure||User Data Accuracy||Session Hijacking||Denial of Service||Remote Exploit||Advisories|
2011-10-24, 2011-07-18, 2009-06-19
|2.2||May 2011||X||X||X||X||2011-05-16, 2011-01-13|
|2.1||Sep 2010||X||X||X||X||2009-11-04, 2009-02-24|
Service Provider Vulnerability Matrix
The oldest SP version unaffected by fixable vulnerabilities is V2.4.3 (or more precisely any version using OpenSAML V2.4.3).
|Minor Version||EOL||User Data Exposure||Resource Exposure||Session Hijacking||Denial of Service||Remote Exploit||Advisories|
|2.4||X||X||X||X||2012-04-19, 2011-07-25, 2011-07-06|
|2.2||Nov 2009||X||X||X||X||X||2009-11-04, 2009-08-26, 2009-08-17|