Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0765 Shibboleth Service Provider Security Advisory [11 March 2019] 12 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9628 Original Bulletin: https://shibboleth.net/community/advisories/secadv_20190311.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [11 March 2019] An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a denial of service vulnerability. This issue has been assigned CVE-2019-9628. XML parser class fails to trap exceptions on malformed XML declaration ====================================================================== Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. This issue is *not* specific to the V3 XMLTooling software and is believed to impact all versions prior to V3.0.4 Recommendations =============== Update to V3.0.4 or later of the XMLTooling library, which is now available. The updated version of the library has been included in a V3.0.4 patch release of the Service Provider software on Windows. Other Notes =========== The xmltooling git commit containing the fix for this issue is af27c422f551e16989ff6f1722d83614c8550eb5 and is in general terms applicable to V2 of the library. Credits ======= Ross Geerlings, University of Michigan URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20190311.txt - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlyGW9wACgkQN4uEVAIn eWLkNg/9EdO+8G7P9dlkZ2MuU+xuVcOqdA3/6A558zfROGtNLqRr4hbHIFBojYY1 1kYFlRmKg1PYD4Ovk1/w7SrAR0STKkxfx/JX2O44pkwb5TnrhFFl6v8x7UZf9BoM ZMPpryaxpBxVL3dDVu2WIElq7LaaFXk+yP/ynVwQCN3mt6tcHNZ/zB1638+QGr1+ oO7LpyW+/s2UoqcQC6koox/KZ/UTlkgbi9tK8P+p1U1yVDS+72SxTFSmkVWlWlWm 5BO5OXpb+vkP82UMIgZP1vGUqtXiX8XbEUqY29ZkfA1926GOBDwGx7MZ6v7U360I ODio0F8Y9BBd+q8VoBvDenJqlNWedQotWPu3kD1eaXc1m6723ukKNEAu++Oxcon8 YonIRP1rbSytDS1RgPsklK4Lblr0ZhGZNvTpKgPxthccxAdewbk+8NeL8p6fGluj wpRoB0L9Ia92f4RNbQKVFH9JZKAbAvK43RQdNM7COf64n/yXB543WL2FIuJGcevE 6wUg760mr/OxjXb3EeBTYxeb2sRlxRahfItT+n2MKLGu63GpJdheHvYewRDrPMB7 tCaelK6+lVg6+cg91nkuLL4zHqANJLm8VD49rjjIoXHmaK5H3QZ8/7cAFjBCnFV4 ur3nN8DMJlW/N9YKtINpF15YWk/TSq8NPtCRpPhp9G7kN5Op7Gw= =GHcJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXIca4WaOgq3Tt24GAQheGRAA3fcBoWUMLbjWCJowkBHACnleMwJWo2nB q7hQ6XPAsEmBMgrhzHQoFjBsMAFnY8ODGEt/t/t82DL3ehmy3TkMnURKgIt0JLlA Y3QsjlzMCHfJARhmZi3104kqFvc3KgqLa8FXSoShgwSZveTYyojLEAGE37utYKLX VqNewCrDWJaburvGOSiiAMmHJkNtmnQWs5wJ6kmTVv60br0pcM1SFNhp8RoyL+TB jX/k5H/dKJqWdjsSRoyT8fYNVnnvkHwILf49xFwlbaW9qDZbzIK5eQObZzAMR5Nu qnc3eGaxxUl605h4QVTHS0OFFy1EO8pacCH8H+TnnXcogNXh1Keh4N1tWaaRcXro OWQaAXOt9JWW5OY+CcL/D19nFc+GAzGMwDfkU4f2yQ31gJrIae08Lst0x3syPFaR IDqNm7TEx3X63SRgheDx8fapmHoC1km0lwn7s1/BsGniVXpuhLephtNanMamifNk zX5EJljZQTFYceNT0sSba0oj6HA3/qY0/EvgnFy/LlbCH1dON9ssQV/FpNDQywle NXbq9glXQIrMdaUSw7ZS8gkDJoqo/GakBhB/qW7BnCTb2jKqeBjligl9deVZD2rD SlKwS1O6Ff4Xuv0hdCDoeFpf3ihgZzuspDs7UllBAlBlcSJHdadpuX28pM8afVNL l8qTMoY0gzo= =yrqf -----END PGP SIGNATURE-----