Operating System:

[WIN][UNIX/Linux]

Published:

27 March 2015

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2015.0753 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0753
      Shibboleth Identity Provider Security Advisory [26 March 2015]
                               27 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth Identity Provider
Publisher:         Shibboleth
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://shibboleth.net/community/advisories/secadv_20150326.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Identity Provider Security Advisory [26 March 2015]

Interrupted HTTP Connections Lead to Denial of Service
=======================================================================

An error handling flaw in V3.0.0 and V3.1.0 of the Shibboleth Identity
Provider software can lead to heap exhaustion and CPU consumption when
connections to the server are interrupted unexpectedly.

This flaw is present in the V3 software only, and does not affect the
older V2 Identity Provider software.

Affected Versions
=================

Versions of the Identity Provider >= 3.0.0 and < 3.1.1


Recommendations
===============

IdP users: Upgrade to IdP V3.1.1 or greater.


References
==========

URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20150326.txt


Credits
=======
Walter Hoehn, University of Memphis and Shibboleth Project Emeritus

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVFA5RAAoJEDeLhFQCJ3liMakQALOxLqqoREihwktbYT2rUKkt
6HdpmfhdhVaTpMv4JzvewhSvqdWp1zV5s26lmb6myGvNExovc5dRtohdf/E0ZI8N
b46e8oHJtx9bGBqsdh/yeJuBhpuzUxQSyQRTJcfAaZojHQtMVUDHLlWpTpdIsd2w
LyN3naF0l3P0qrRtSbO02RYyg3W/fOzDKz27YDIGD7rz7Jo95KyVoBQJDdBruqso
laxvUx1c1fQVbEtMF6owGFXyDY1LkGVMM3NKo6MR4k+0tPB/mI5+gVxzVdsGVAhs
oJlrL5HbzQ+lIwf48RPIIl7PnZqzhHqc6sLRrUFHmhR3ygRq8BzEo/taM6hn2V0m
p95RLdaxnlO4LH/Moj9g0H/uQK88fsit9L60usboHjmeupJCAOcqa3jttKFX2Ezo
ee8fo6hDP743hi0z0ik4Mr7dFoo1ShRO+vBLAszV5ngz3s9hQurdM2qdQ2ZEAHhZ
fCYJD5IluPxfDDvttqIKrlrxG2JDFvNHytwNPy8RLwUg0O/Ir3fmzkeyWwKdT6Nl
SyNgnuXDUiH1qRCHSPMYkR/E6vEsIKXH3D5mdniornYGAXXhAhhG38AfsaOBocDk
q0I59fYCVXiQnmRMudImYAod1khsZP1T5x4tGjwCZp6fNwRjU2X5G8MeIXoNDiba
mk/l+0PyD9rMLhPJj8Ob
=bXTf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVRSTKhLndAQH1ShLAQI7gxAAptqcpU6ptpKBmPeUKuC7HBXiVgC5ni2k
D2/OdlPJOwWScwtelZGbrv09z6UlJZzKqR10j6eMuv4HcuqQUyw/5fqrZDFViorV
wpURg4IzmFooadpOHe5+kJZs7knBUC7HEQlZsFz9IgbuDxZGSa9C535Xaoq+MHha
per70IxOLnWMhBY5/sBM7Omp9NuQOJoG0wU1mhndjKbNcTZOplts7V+uOdjEiCAk
F7KVtFG1Ox36Vqtn/WpSvgGVRCeotjFjGe06absj4o0AhlE+ZKXsvlTtuJCMT594
FsVozlIp/sso9awRwy4jorwNNFWskYdaBNJCDe8qVDPb5rBLB+egX/gO/nJ4nPPt
5uTpKcnTvcBgnWn3DhA/C0/P4qB/RMCtbpT1KqQu+aP9zS+r0z6fWeY3g7/CoMYM
KNTrPj/dzvxLG6ZoyB06KlzUr1fYiVAiFqye/isdYE+urKbdsImLByQkXhuPeeer
MXMDmnrLT1NGZR52fMDe+vOlEEn71edF//keY71adjWuOmH292inS9gKjxP/OTCm
Ds5VaXfMJRMfwiHd6TH9UFaZdzrv5akN5OT8l66lARO7vUqRKT3T3rgZtW8sGc9H
Sv9iGZWwhw/BETSyQPwvT20GNYP4h0QNGr+KhXm/1EmY4VV+BQ598OquweH/bQqw
GasDtJYA+LY=
=s8/x
-----END PGP SIGNATURE-----