Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0862 Shibboleth Service Provider Security Advisory [18 June 2013] 19 June 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Service Provider Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-2156 Reference: ESB-2013.0857 Original Bulletin: http://shibboleth.net/community/advisories/secadv_20130618.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [18 June 2013] An updated version of the Shibboleth Service Provider software is now available which includes an updated version of a dependency that corrects a security issue. Platforms on which xml-security-c is an OS-supplied component, such as Debian Linux, will need to ensure their vendor has supplied an updated package to correct the issue. Shibboleth SP heap overflow processing InclusiveNamespace PrefixList ==================================================================== The Apache Santuario XML Security for C++ library contained a heap overflow in the processing of XML content related to the verification of signed XML such as SAML assertions. This could in the worst case lead to the possibility for a remote, unauthenticated attacker to cause arbitrary code execution within the shibd process. The SP software is not the source of the vulnerability, and the fix required is contained solely in the xml-security-c library. However, packaging and binary compatibility considerations typically mean that older versions cannot always be fixed without upgrading (unless built by hand). The version of xml-security-c containing the fix is V1.7.1. That vulnerability has been published as CVE-2013-2156. Recommendations =============== Ensure that V1.7.1 or later of the xml-security-c library is used. For Windows installations, V2.5.2 of the Shibboleth SP is now available and contains updates to several libraries, including this fix. All V2.5.x installations should be upgradeable to this release. Older Windows versions have been unsupported since late 2012 and are not upgradeable without removing them, and installing V2.5.2. Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fix. If your system already includes V1.7.0 of the xml-security-c library, then you MAY address the issue by updating only that package. Shibboleth and OpenSAML packages built against older versions, such as V1.6.x, will not be binary-compatible with the newer version. Sites that have deployed by building their own copy of xml-security-c should ensure that they upgrade to V1.7.1 of that package, or patch older versions as desired. Sites that rely on an OS-supplied version of xml-security-c will need to contact their OS vendor for a fixed version, or manually build a new or patched version. Credits ======= Thanks to James Forshaw of Context Information Security for reporting the issue to the Apache Santuario project. URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20130618.txt URL for the vulnerability: http://santuario.apache.org/secadv.data/CVE-2013-2156.txt - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBCgAGBQJRv9B5AAoJEDeLhFQCJ3linf8QAKmeLXkyNmtDImj4syoVLAuW HKKxBVvULWA9qwnDDihhLckKLcH9hVNGJRzdi9Ou3ZscSIpLcwPtCzADqk8K4bqL BiDmgjeaod7yQnJjQPfFgiECdPkUjhCM45l14z9gDkUXiu/JoKh+znOa2uliBwEu DAG3t23CJ4xRMS8Z6ojDBM3giKY1tx2KpctNAxayS6QBZmR1sXvRzygi2yrQTKJZ zLgtxRihDSpmhbaqDBzOgeU6cTB/1/3RwcKB7/yONwhzrAsOuHPs+j1G4bjhAgmu +6kk+L3I9Tdr1HF0/68XhLwGnBSSfB9KOearsUwDNm1OG9E5FTOv9axDR86CjZjS 1mpZzjafyhnuPgf0YA8dOpYvHHahUZQsDJDU/BB6/34mAuVPy5M9Gcq4wSm+yqKY /XTt5WiPTEs6CPon4oOsB/Hxc4Kjj6HEaQPHMTL6Pj9zhhmtl3MrlmvvfKu8/FZ0 dvM3yLA3JBWkcNitwX1OyYVQL4lbGUFToX35tZcAtuMtNCz3MaF2mIW5Wf7r+cJ0 eD7twyMqaoVimp2kUJ6EsHiBLTwjfRXiCNAQLAfbY0/1vZvGnszrUgGaQF/ASISy MzteVOyd+GZD72n67v8ilB1/gKa/EGyl0HJUu8P6uxI4v7MvLrtywC2h3ZrDO8yj Zw2ZgJaebfqZbXI57vBg =TVRM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUcEv9+4yVqjM2NGpAQI98BAAnf1BDYHc8WbpJcvZZPpAaF6VlfDEEBP+ jph+JBrjGeTJnyORJRem1IQiElZ7jK32bGRS0Tj0N2oZgpJH5bY+mAzQHpNnmZDy zt4juAbcTYRq09r427Q7rAHN2tLd0hUMOukswUvuj4AEkHQ1gwhA2heiv67+JjFY C3ncGmpkkYd1fMULLC1MOoABEBmrT8GDQuqZJRbAiPhA6lIAGt4rq71MkqroIv9I JFvh2Jqp4KYC9UYXYCBTlu0jPa7ZrCzIduRfKjKs3SrIiLo6ag4nkh5TIRgpO53l Uj5G/7x1B7JRiZP2f/YE5hZlh7/ab0+1vsPAu0TwHruV0etTwEgNqHeix/BHMmK0 79lMzYouFhfFTUrx+fvv6SCZXiYPtaUTIQm0yYa5fDRRIiME24jrTC2yUNHtW86D GgCgsIAJ4ZHN4VggCaOuLItYmiZpTEnmRhGRWiB8tvJZairXMDfnq3vyXVb9MjJx UYvd9WnIWJ2gQOftcTIW7Nt1dADVkVa2HwdALTDuLmhNQ3r0hcqEchO/dnACDMLG mWFb6kq5cXcApyKgWOvyQtqKuuVDxz1WLV7fiX8W1XjST/ZspNpfKnUivfI5X32T UmwXULF8dZ+e2aLSVeCJp4J7wmMS8lyN3XJrMU6vZPGbO7A1HyyAxedp1FIHRzLO Ru08Ho+/ZY8= =hyw3 -----END PGP SIGNATURE-----