Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0392 Shibboleth Service Provider Security Advisory [19 April 2012] 20 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Publisher: Shibboleth Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2110 Reference: ESB-2012.0388 Original Bulletin: http://shibboleth.internet2.edu/secadv/secadv_20120419.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [19 April 2012] The OpenSSL team disclosed and patched a security issue in functions that the Shibboleth Service Provider, and some related libraries, depend on for key and certificate processing. We do not have specific knowledge of a vulnerability, but since we believe this issue could in theory create a problem, we are highlighting this issue in an advisory of our own, and have updated the OpenSSL version we provide for Microsoft Windows. The OpenSSL advisory was assigned CVE-2012-2110 can be found at http://www.openssl.org/news/secadv_20120419.txt Remediation =========== Updated Windows installer and postinstall ZIP files for V2.4.3 have been posted that replace the OpenSSL libraries included with OpenSSL V1.0.0i. The following files (and their debug siblings) are affected: \opt\shibboleth\bin\openssl.exe \opt\shibboleth\lib\libeay32_1_0_0.dll \opt\shibboleth\lib\ssleay32_1_0_0.dll Deployers using other platforms should refer to their OpenSSL technology provider for an update. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20120419.txt - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQIcBAEBCgAGBQJPkHFVAAoJEDeLhFQCJ3liq1gP/1jZPOPitFQ06Vy2AAYINhVs YpwtWRJWD8qYKyeMuMjRROzh0KJepxzfW9kTYUCUgkfhsY97xrvhRkFr30Z8WcNw pOr+GQHFqsm4lPXvGXvnpIEi43CCBl1p33ikHxaCspgxlvEnxfeYmXz8nNIvsk6s uEmzHOoxhfbWQXrUGTVGnhNVlsxhaVbPQmFoIwixx8Nxi2OhA93XeBHmVvA8rBwL 7rFkPdmnDmHF54M0Tt02Ox3Mp/ZYKAtQpXGnFKUIzwm/Bu7/gHdnabHQZxVj4aHc T7Gya5DmvV4GAvG6cbIecDMSBVgI1lJJzXK4EIxYkhQ4C12TnkoJRLp63Tm+APku teZUQX49AfhEYiZSEEgbY+Y9odsG8Yqs+kC9RXP6Avmv4Lru0RfqASeBJJY/zLSw P/n8YnMnit5YY5M0G+hOazBx7DDwYqJlztexkHEdrvuU/OHWOp0Tm/GRkeY7bAPR e9NN9I12G52U1bXLOtpUiBjAysBJQO4avnlA0TH5e73NNaX6kd04WQLGc17ecSZ6 9Cj73/yDLjgBkGtRB3aDfYRAknkoQ23xQE1X8oj/+kQtdAi+UZ+iLlGJYEHU0sTu 7hkLKo9GIzOw4K45a2PUpe7FnAGu/58AU4I+AMC61Hz143UNuSOuN6uvzO2bsTpd dfQuFSC6E/2RR+SRMD8y =vhUC - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT5DzZO4yVqjM2NGpAQIKpA/+NiJf7Mx8OOuKN/nfj9LKa+XCilQ447Z2 +BHVXroMb5LBA17I9pw+Xb0iVtk4UU1L7k1KEq/heSBumTmXw9oom3KJmFnq9Qpy NLd+aqv4Crd5S69tZJFmQU/1y28efwQKNUvY1SBO9d53+NaaF34L9CpzrFQejXQ5 3N/oFaxckgqNHycMg5kG2iYwM4n6sMrYUUno7yJWTgcXGSCXQsuI7+KxCqC88quk SRpsI8PKWkPtGdFl5VkXeyK21g+VF+zyziiSM0S9Mne6Q9rKHReLo19RN3TGU9z+ L6ywEvWb8y1Q8h2Y0lQIikq9fuSrLuqaC+aqe0dVDdx2XYSttgIcDozzu7+7gv6E 5pRW/IjTT6gxAY1EHCNnB88bzgNDi3rNPaEheERCW5KD/iYu5rblLRYYXQ7z+9eN WAQB6m8ZbzUzXw6XzMlHqi97piDB4waqiDNGxRQ9wp0pm94iIakMfSxpvkD1wC/3 jBvKOCuPcpTBdgfA8yT4peL8EwI3X82GYxo3CAVO0ghV5aFMB5/OgGY+W3Yx++xM M1dyUwZ/DssZogi4VVb8ujEbASCJLNEMr9tE880TxKFY6mI3jAPVzTXrkEkValTM sNOEzQHSyAYufY4DOvk8nA079MKrAglGvlxGM0h5NRvEU023k7Wbz5vYiwd/pKmF cDCqq7sfLDU= =a+BB -----END PGP SIGNATURE-----