The Shibboleth Project has released a security advisory that highlights a bug corrected in a third-party library that addresses a denial of service vulnerability in the SP. Updated packages are available that correct the issue. Note that this is the first issue that impacts SP V2 that cannot efficiently be addressed by the project, so deployers should plan to upgrade to V3 to correct the issue unless they have a software supplier providing a backported fix.
A second SP patch release has been made available to fix more bugs identified by early adopters and make other library updates available to Windows deployers. Additional patch releases may be warranted as more adoption and testing occurs so please stay tuned to the announce list.
An SP patch release has been quickly made available to fix some major problems identified by early adopters. Additional patch releases may be warranted as more adoption and testing occurs so please stay tuned to the announce list.
The Shibboleth Project has released the first major upgrade to the Service Provider software in a number of years. It is a backward-compatible release designed to be a direct upgrade for existing deployments. This release provides long-awaited support for OpenSSL 1.1 to facilitate availability in newer Linux distributions.
The Shibboleth Project has released a security advisory that involves the XML processing performed by the Service Provider. An xmltooling patch update, V1.6.4, is available that corrects the issue on all platforms.
The Shibboleth Project has released a security advisory that involves the XML processing performed by the Service Provider on a subset of platforms limited to an older version of the Xerces library. An xmltooling patch update, V1.6.3, is available that corrects the issue on platforms not already protected by an updated XML parser.
The Consortium announced a change coming in the near future to the subsidization of technical support via our development team. The change, in brief, is that the Consortium will be funding the development team to provide technical support only to actual members of the Consortium and not to the community at large. An open support list for the community will continue to exist, as will open access to submit bugs and enhancement requests. The development team itself will be free to spend time on behalf of themselves or their other employers to offer support to non-members as they choose. A FAQ explaining both the change and the way this is expected to work is now available. Questions can be sent to any of our mailing lists or via our contact form.
The Shibboleth Consortium board held a pair of webinars on March 29th to outline the state of the consortium's finances and begin to gather input from members and non-members on next steps to address sustainability. The slides from this introductory session are available from http://shibboleth.net/documents/ShibCommunityWebinar-2017-03-29.pdf