Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0862
Shibboleth Service Provider Security Advisory [18 June 2013]
19 June 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Shibboleth Service Provider
Publisher: Shibboleth
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2156
Reference: ESB-2013.0857
Original Bulletin:
http://shibboleth.net/community/advisories/secadv_20130618.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [18 June 2013]
An updated version of the Shibboleth Service Provider software
is now available which includes an updated version of a dependency
that corrects a security issue.
Platforms on which xml-security-c is an OS-supplied component,
such as Debian Linux, will need to ensure their vendor has supplied
an updated package to correct the issue.
Shibboleth SP heap overflow processing InclusiveNamespace PrefixList
====================================================================
The Apache Santuario XML Security for C++ library contained a heap
overflow in the processing of XML content related to the
verification of signed XML such as SAML assertions. This could in
the worst case lead to the possibility for a remote, unauthenticated
attacker to cause arbitrary code execution within the shibd process.
The SP software is not the source of the vulnerability, and the
fix required is contained solely in the xml-security-c library.
However, packaging and binary compatibility considerations typically
mean that older versions cannot always be fixed without upgrading
(unless built by hand).
The version of xml-security-c containing the fix is V1.7.1.
That vulnerability has been published as CVE-2013-2156.
Recommendations
===============
Ensure that V1.7.1 or later of the xml-security-c library is used.
For Windows installations, V2.5.2 of the Shibboleth SP is now
available and contains updates to several libraries, including this
fix. All V2.5.x installations should be upgradeable to this release.
Older Windows versions have been unsupported since late 2012 and are
not upgradeable without removing them, and installing V2.5.2.
Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix. If your system already
includes V1.7.0 of the xml-security-c library, then you MAY address
the issue by updating only that package. Shibboleth and OpenSAML
packages built against older versions, such as V1.6.x, will not
be binary-compatible with the newer version.
Sites that have deployed by building their own copy of xml-security-c
should ensure that they upgrade to V1.7.1 of that package, or patch
older versions as desired.
Sites that rely on an OS-supplied version of xml-security-c will need
to contact their OS vendor for a fixed version, or manually build a
new or patched version.
Credits
=======
Thanks to James Forshaw of Context Information Security for reporting
the issue to the Apache Santuario project.
URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20130618.txt
URL for the vulnerability:
http://santuario.apache.org/secadv.data/CVE-2013-2156.txt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
iQIcBAEBCgAGBQJRv9B5AAoJEDeLhFQCJ3linf8QAKmeLXkyNmtDImj4syoVLAuW
HKKxBVvULWA9qwnDDihhLckKLcH9hVNGJRzdi9Ou3ZscSIpLcwPtCzADqk8K4bqL
BiDmgjeaod7yQnJjQPfFgiECdPkUjhCM45l14z9gDkUXiu/JoKh+znOa2uliBwEu
DAG3t23CJ4xRMS8Z6ojDBM3giKY1tx2KpctNAxayS6QBZmR1sXvRzygi2yrQTKJZ
zLgtxRihDSpmhbaqDBzOgeU6cTB/1/3RwcKB7/yONwhzrAsOuHPs+j1G4bjhAgmu
+6kk+L3I9Tdr1HF0/68XhLwGnBSSfB9KOearsUwDNm1OG9E5FTOv9axDR86CjZjS
1mpZzjafyhnuPgf0YA8dOpYvHHahUZQsDJDU/BB6/34mAuVPy5M9Gcq4wSm+yqKY
/XTt5WiPTEs6CPon4oOsB/Hxc4Kjj6HEaQPHMTL6Pj9zhhmtl3MrlmvvfKu8/FZ0
dvM3yLA3JBWkcNitwX1OyYVQL4lbGUFToX35tZcAtuMtNCz3MaF2mIW5Wf7r+cJ0
eD7twyMqaoVimp2kUJ6EsHiBLTwjfRXiCNAQLAfbY0/1vZvGnszrUgGaQF/ASISy
MzteVOyd+GZD72n67v8ilB1/gKa/EGyl0HJUu8P6uxI4v7MvLrtywC2h3ZrDO8yj
Zw2ZgJaebfqZbXI57vBg
=TVRM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUcEv9+4yVqjM2NGpAQI98BAAnf1BDYHc8WbpJcvZZPpAaF6VlfDEEBP+
jph+JBrjGeTJnyORJRem1IQiElZ7jK32bGRS0Tj0N2oZgpJH5bY+mAzQHpNnmZDy
zt4juAbcTYRq09r427Q7rAHN2tLd0hUMOukswUvuj4AEkHQ1gwhA2heiv67+JjFY
C3ncGmpkkYd1fMULLC1MOoABEBmrT8GDQuqZJRbAiPhA6lIAGt4rq71MkqroIv9I
JFvh2Jqp4KYC9UYXYCBTlu0jPa7ZrCzIduRfKjKs3SrIiLo6ag4nkh5TIRgpO53l
Uj5G/7x1B7JRiZP2f/YE5hZlh7/ab0+1vsPAu0TwHruV0etTwEgNqHeix/BHMmK0
79lMzYouFhfFTUrx+fvv6SCZXiYPtaUTIQm0yYa5fDRRIiME24jrTC2yUNHtW86D
GgCgsIAJ4ZHN4VggCaOuLItYmiZpTEnmRhGRWiB8tvJZairXMDfnq3vyXVb9MjJx
UYvd9WnIWJ2gQOftcTIW7Nt1dADVkVa2HwdALTDuLmhNQ3r0hcqEchO/dnACDMLG
mWFb6kq5cXcApyKgWOvyQtqKuuVDxz1WLV7fiX8W1XjST/ZspNpfKnUivfI5X32T
UmwXULF8dZ+e2aLSVeCJp4J7wmMS8lyN3XJrMU6vZPGbO7A1HyyAxedp1FIHRzLO
Ru08Ho+/ZY8=
=hyw3
-----END PGP SIGNATURE-----