Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

This page provides easier access to the complete history of Security Advisories released for the Shibboleth V2 software products and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast. Pages exist describing briefly how to check the IdP or SP version you have.

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V2 products. Older advisories affecting only V1 software are not listed here, but you can find the complete set of advisories going back to the original software in this directory. All V1 software has been end-of-life for several years now and any such deployments should be treated as highly suspect.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables. Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment.

Identity Provider Vulnerability Matrix

The oldest IdP version unaffected by fixable vulnerabilities is V2.3.6.

VersionEOLUser Data ExposureUser Data AccuracySession HijackingDenial of ServiceRemote ExploitAdvisories
All XX   

2011-10-24, 2011-07-18, 2009-06-19

2.3.8 XX    
2.3.6 - 2.3.7Jul 2012XX    
2.3.2 - 2.3.5Feb 2012XX   2012-02-27
2.3.0 - 2.3.1Jul 2011XX  X2011-07-25
2.2.1May 2011XXX X2011-05-16
2.2.0Jan 2011XXX X2011-01-13
2.1.5Sep 2010XXX X2009-02-24
2.1.1 - 2.1.4Nov 2009XXX X2009-11-04
2.0.0Dec 2008XXX X2008-11-03

Service Provider Vulnerability Matrix

The oldest SP version unaffected by fixable vulnerabilities is V2.4.3 (or more precisely any version using OpenSAML V2.4.3). Newer SP versions require OpenSAML V2.5.2 or later.

VersionEOLUser Data ExposureResource ExposureSession HijackingDenial of ServiceRemote ExploitAdvisories
All X    

2011-10-24

2.5.1    X 2013-01-10
2.5.0Dec 2012X  X 2013-01-10
2.4.3Nov 2012X  XX2012-04-19
2.4.0 - 2.4.2Jul 2011XX XX2011-07-25, 2011-07-06
2.3.0 - 2.3.1Dec 2010XX XX 
2.2.1Nov 2009XXXXX2009-11-04, 2009-08-26
2.2.0Aug 2009XXXXX2009-08-17
2.0.0 - 2.1.0Jun 2009XXXXX2009-06-15

Advisory List

DateTitleAffectsSeverityCVE
2013-01-10

Shibboleth SP software crashes on malformed IdP History Cookie

SP w/ libsaml 2.5.0 or 2.5.1low 
2012-04-19

OpenSSL ASN1 BIO vulnerability

SP w/ openssl < 1.0.0ihigh

CVE-2012-2110

2012-02-27Identity Provider LDAPS Connections Do Not Perform Hostname VerificationIDP < 2.3.6high 
2011-10-24Use of XML Encryption Vulnerable to Chosen Ciphertext AttacksSP and IdP, all versionsmedium 
2011-07-25OpenSAML software is vulnerable to XML Signature wrapping attacksIDP < 2.3.2
SP w/ libsaml < 2.4.3
high

CVE-2011-1411

2011-07-18Multi-Session Information Leakage IDP >= 2.1medium 
2011-07-06Shibboleth SP software crashes on large signing/encryption keys SP w/ libxml-security-c < 1.6.1high

CVE-2011-2516

2011-05-16Velocity templates vulnerable to XSS (cross-site scripting) injectionIDP < 2.3.0high 
2011-01-13Shibboleth IdP 2.X Single TransientID Mapped to Multiple PrincipalsIDP < 2.2.1high 
2009-11-04Shibboleth software improperly handles malformed URLsIDP < 2.1.5
SP < 2.3
high

CVE-2009-3300

2009-08-26Shibboleth SP software improperly handles malformed URLsSP w/ libxmltooling < 1.2.2high 
2009-08-17Shibboleth SP software improperly evaluates KeyDescriptorsSP < 2.2.1low 
2009-08-17Shibboleth SP software improperly handles certificate namesSP < 2.2.1 or w/ libcurl < 7.19.6high 
2009-06-19Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPsIDP, all versions w/ Terracottamedium 
2009-06-15Shibboleth SP software on IIS vulnerable to header spoofingSP < 2.2 w/ IIS, but see thishigh 
2009-02-24Shibboleth IdP 2.X cross-site request attackIDP < 2.2.0high 
2008-11-03Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request AttackIDP < 2.1.0high 
  • No labels