Operating System:

[Win]

Published:

20 April 2012

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0392
       Shibboleth Service Provider Security Advisory [19 April 2012]
                               20 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth
Publisher:         Shibboleth
Operating System:  Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-2110  

Reference:         ESB-2012.0388

Original Bulletin: 
   http://shibboleth.internet2.edu/secadv/secadv_20120419.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [19 April 2012]

The OpenSSL team disclosed and patched a security issue in
functions that the Shibboleth Service Provider, and some
related libraries, depend on for key and certificate processing.

We do not have specific knowledge of a vulnerability, but since
we believe this issue could in theory create a problem, we are
highlighting this issue in an advisory of our own, and have
updated the OpenSSL version we provide for Microsoft Windows.

The OpenSSL advisory was assigned CVE-2012-2110 can be found at
http://www.openssl.org/news/secadv_20120419.txt

Remediation
===========
Updated Windows installer and postinstall ZIP files for V2.4.3
have been posted that replace the OpenSSL libraries included
with OpenSSL V1.0.0i.

The following files (and their debug siblings) are affected:

\opt\shibboleth\bin\openssl.exe
\opt\shibboleth\lib\libeay32_1_0_0.dll
\opt\shibboleth\lib\ssleay32_1_0_0.dll

Deployers using other platforms should refer to their OpenSSL
technology provider for an update.

URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20120419.txt

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBCgAGBQJPkHFVAAoJEDeLhFQCJ3liq1gP/1jZPOPitFQ06Vy2AAYINhVs
YpwtWRJWD8qYKyeMuMjRROzh0KJepxzfW9kTYUCUgkfhsY97xrvhRkFr30Z8WcNw
pOr+GQHFqsm4lPXvGXvnpIEi43CCBl1p33ikHxaCspgxlvEnxfeYmXz8nNIvsk6s
uEmzHOoxhfbWQXrUGTVGnhNVlsxhaVbPQmFoIwixx8Nxi2OhA93XeBHmVvA8rBwL
7rFkPdmnDmHF54M0Tt02Ox3Mp/ZYKAtQpXGnFKUIzwm/Bu7/gHdnabHQZxVj4aHc
T7Gya5DmvV4GAvG6cbIecDMSBVgI1lJJzXK4EIxYkhQ4C12TnkoJRLp63Tm+APku
teZUQX49AfhEYiZSEEgbY+Y9odsG8Yqs+kC9RXP6Avmv4Lru0RfqASeBJJY/zLSw
P/n8YnMnit5YY5M0G+hOazBx7DDwYqJlztexkHEdrvuU/OHWOp0Tm/GRkeY7bAPR
e9NN9I12G52U1bXLOtpUiBjAysBJQO4avnlA0TH5e73NNaX6kd04WQLGc17ecSZ6
9Cj73/yDLjgBkGtRB3aDfYRAknkoQ23xQE1X8oj/+kQtdAi+UZ+iLlGJYEHU0sTu
7hkLKo9GIzOw4K45a2PUpe7FnAGu/58AU4I+AMC61Hz143UNuSOuN6uvzO2bsTpd
dfQuFSC6E/2RR+SRMD8y
=vhUC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT5DzZO4yVqjM2NGpAQIKpA/+NiJf7Mx8OOuKN/nfj9LKa+XCilQ447Z2
+BHVXroMb5LBA17I9pw+Xb0iVtk4UU1L7k1KEq/heSBumTmXw9oom3KJmFnq9Qpy
NLd+aqv4Crd5S69tZJFmQU/1y28efwQKNUvY1SBO9d53+NaaF34L9CpzrFQejXQ5
3N/oFaxckgqNHycMg5kG2iYwM4n6sMrYUUno7yJWTgcXGSCXQsuI7+KxCqC88quk
SRpsI8PKWkPtGdFl5VkXeyK21g+VF+zyziiSM0S9Mne6Q9rKHReLo19RN3TGU9z+
L6ywEvWb8y1Q8h2Y0lQIikq9fuSrLuqaC+aqe0dVDdx2XYSttgIcDozzu7+7gv6E
5pRW/IjTT6gxAY1EHCNnB88bzgNDi3rNPaEheERCW5KD/iYu5rblLRYYXQ7z+9eN
WAQB6m8ZbzUzXw6XzMlHqi97piDB4waqiDNGxRQ9wp0pm94iIakMfSxpvkD1wC/3
jBvKOCuPcpTBdgfA8yT4peL8EwI3X82GYxo3CAVO0ghV5aFMB5/OgGY+W3Yx++xM
M1dyUwZ/DssZogi4VVb8ujEbASCJLNEMr9tE880TxKFY6mI3jAPVzTXrkEkValTM
sNOEzQHSyAYufY4DOvk8nA079MKrAglGvlxGM0h5NRvEU023k7Wbz5vYiwd/pKmF
cDCqq7sfLDU=
=a+BB
-----END PGP SIGNATURE-----