27 March 2015
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0753 Shibboleth Identity Provider Security Advisory [26 March 2015] 27 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Identity Provider Publisher: Shibboleth Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://shibboleth.net/community/advisories/secadv_20150326.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [26 March 2015] Interrupted HTTP Connections Lead to Denial of Service ======================================================================= An error handling flaw in V3.0.0 and V3.1.0 of the Shibboleth Identity Provider software can lead to heap exhaustion and CPU consumption when connections to the server are interrupted unexpectedly. This flaw is present in the V3 software only, and does not affect the older V2 Identity Provider software. Affected Versions ================= Versions of the Identity Provider >= 3.0.0 and < 3.1.1 Recommendations =============== IdP users: Upgrade to IdP V3.1.1 or greater. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20150326.txt Credits ======= Walter Hoehn, University of Memphis and Shibboleth Project Emeritus - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVFA5RAAoJEDeLhFQCJ3liMakQALOxLqqoREihwktbYT2rUKkt 6HdpmfhdhVaTpMv4JzvewhSvqdWp1zV5s26lmb6myGvNExovc5dRtohdf/E0ZI8N b46e8oHJtx9bGBqsdh/yeJuBhpuzUxQSyQRTJcfAaZojHQtMVUDHLlWpTpdIsd2w LyN3naF0l3P0qrRtSbO02RYyg3W/fOzDKz27YDIGD7rz7Jo95KyVoBQJDdBruqso laxvUx1c1fQVbEtMF6owGFXyDY1LkGVMM3NKo6MR4k+0tPB/mI5+gVxzVdsGVAhs oJlrL5HbzQ+lIwf48RPIIl7PnZqzhHqc6sLRrUFHmhR3ygRq8BzEo/taM6hn2V0m p95RLdaxnlO4LH/Moj9g0H/uQK88fsit9L60usboHjmeupJCAOcqa3jttKFX2Ezo ee8fo6hDP743hi0z0ik4Mr7dFoo1ShRO+vBLAszV5ngz3s9hQurdM2qdQ2ZEAHhZ fCYJD5IluPxfDDvttqIKrlrxG2JDFvNHytwNPy8RLwUg0O/Ir3fmzkeyWwKdT6Nl SyNgnuXDUiH1qRCHSPMYkR/E6vEsIKXH3D5mdniornYGAXXhAhhG38AfsaOBocDk q0I59fYCVXiQnmRMudImYAod1khsZP1T5x4tGjwCZp6fNwRjU2X5G8MeIXoNDiba mk/l+0PyD9rMLhPJj8Ob =bXTf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVRSTKhLndAQH1ShLAQI7gxAAptqcpU6ptpKBmPeUKuC7HBXiVgC5ni2k D2/OdlPJOwWScwtelZGbrv09z6UlJZzKqR10j6eMuv4HcuqQUyw/5fqrZDFViorV wpURg4IzmFooadpOHe5+kJZs7knBUC7HEQlZsFz9IgbuDxZGSa9C535Xaoq+MHha per70IxOLnWMhBY5/sBM7Omp9NuQOJoG0wU1mhndjKbNcTZOplts7V+uOdjEiCAk F7KVtFG1Ox36Vqtn/WpSvgGVRCeotjFjGe06absj4o0AhlE+ZKXsvlTtuJCMT594 FsVozlIp/sso9awRwy4jorwNNFWskYdaBNJCDe8qVDPb5rBLB+egX/gO/nJ4nPPt 5uTpKcnTvcBgnWn3DhA/C0/P4qB/RMCtbpT1KqQu+aP9zS+r0z6fWeY3g7/CoMYM KNTrPj/dzvxLG6ZoyB06KlzUr1fYiVAiFqye/isdYE+urKbdsImLByQkXhuPeeer MXMDmnrLT1NGZR52fMDe+vOlEEn71edF//keY71adjWuOmH292inS9gKjxP/OTCm Ds5VaXfMJRMfwiHd6TH9UFaZdzrv5akN5OT8l66lARO7vUqRKT3T3rgZtW8sGc9H Sv9iGZWwhw/BETSyQPwvT20GNYP4h0QNGr+KhXm/1EmY4VV+BQ598OquweH/bQqw GasDtJYA+LY= =s8/x -----END PGP SIGNATURE-----