-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2991
      Shibboleth Service Provider Security Advisory [31 August 2020]
                             1 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth
Publisher:         Shibboleth
Operating System:  Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://shibboleth.net/community/advisories/secadv_20200831.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [31 August 2020]

An updated version of the "modern" module for Microsoft IIS V7+ is
available which corrects a denial of service vulnerability.

IIS module fails to trap exceptions raised by network socket failures
======================================================================
The modern IIS module contains a flaw that fails to catch and handle
exceptions that occur on a particular code path that results from
failed attempts to read data from the HTTP client socket.

This manifests as a crash in the IIS worker process along with a
fatal log mssage in the Windows event log.

Because it is possible experimentally to trigger this condition
remotely, it results in a potential denial of service condition
exploitable by a remote, unauthenticated attacker.

This issue is specific to the newer IIS module and does not impact
the older ISAPI filter/extension or the Apache modules or any other
SP integration variants.

Recommendations
===============
Update to V3.1.0.2 or later of the Windows installation package,
which is now available.

The fix is being distributed as a Windows service update (the fourth
digit) rather than a full patch since it is isolated to a DLL specific
to the Windows package.

Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
a2cfc1526b86d36d2afd921a1bf1029e79af4267

Credits
=======
Jos Groot Lipman from Aareon Nederland B.V.


URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20200831.txt

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl9M6okACgkQN4uEVAIn
eWLzVw/+I9r4X2TwTk53OqSqTEPAf7HcbO8IRLmdHBTrAH7E8edXxycMa+gi7KpH
hRgWx3Bt16y+5O5lauwXzrH3HZawgaDoLP5tdfVyjiVo6+brD3C40l76BAGNWdR0
yYOKnuHJr72aQdchrWZ2cOZd6p2ImjC35tJl4armoV+gru28UpVZ/Pnvr/OkWfVh
no8hqGyPVu/fO4jlnNxqyK3tbXy1mM4xQiNwjL8NpkgfmYlcL5JBLIG78etX6HST
q6DVMS9pG7l2svcIZAPOF+ReDbRIuVZlEtq3Fth5PGZz8QP1SIu/Uv4Rn4xOBHu7
F1zDINFbAiga7ZJ61XsTT9IHzxhiDjqsTlYXzZOekqdHHpON15N++kfGAN0burHv
b8qHx2KIWCHHl70N4McNoyfu7/x4b2rRssK7L/ymY2g1B/xqHJlcK3ZWG/b7mZGX
jeCo8rnkxDNJ0SMBYVjnracZmHLWasJa2EkBi+DQurqYJFQdX30rSlhQnVTpicvc
AkNBr0uHUvSpUqjwvjz6EXS1Zh7GGYwjyq5wWSlG+nHps+EOz6uzRXgxdV1MZBto
LpXLJXHGbiGBO9LuvSYTHxlldFqKCrAmqLMA4+CyLJE3CES+o3rYDds9oywnlChu
T9mvNz4xUNyJwur4ZiIlMHqK/i9d9iqg4cCi13l+sTkwGMHkVvg=
=iXxa
- -----END PGP SIGNATURE-----

- --
To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX02mjeNLKJtyKPYoAQhqIQ//WiCRRyRaOFNhF3PWO7+oyNcCVObjeJ7C
Al5tQglmSLKS2wUw3W9OUh6iy+HRjIfcSvtvVtEyvV+aaoMBKfIWLXBM7uk3LweL
r/Jgno/uTTTeS6KMyl5qzcFOUkgeXl4SWiasaPsQnRu1LXI1QCGkhVzAoQBLNG+C
JpFsnC9tZc1OxcM8R0moRHHQFqSlQ0g9C2dL6iLRVDouEqXTpM03KhmwVazdGKFJ
TlPFpBLGwao9NhYvPgqS7RfTDHj4oiX9cXZAeroe/srq/UcuYCplbdripi7gtd4i
xwGbgoDS2qCa5CC9oM5/XPQxL6J/IB4U0VA/rNZe+31Ju46m4CV+aGZAobYPZf/p
K7yAOEipaqN06qyrjc5nOYjCxVagWEeu78IrixoiAsfTG2F5/WESPGR9Cu6iOT9F
ESn9iMDLgSQG390aBnqDh7yKuLrwQ6rM+/Lh2Y8m1kkhQE3WxvF5sKIuLtVtCNEu
utGP6zZTAUXVGRNX9pYqDv1WUWMyzkYC5wE75qTQsSTmpuFESkJN2nQWc4FxKCBx
b4IvdZMk4QtYRVEPBCSsZwCp8Fey7Njp8znQiFbGCd6nMKzQn4ybAFyPHjOKtRp6
oeoFt+QMQW8Tc7EJ8CEG9pl5yX5NOtu6KhJWwiSGojsLThvx/85eRd3fOLzy3ZWc
vUy9E4wPkyA=
=Q/8W
-----END PGP SIGNATURE-----