UbuntuUpdates.org

Package "shibboleth-sp2-utils"

Name: shibboleth-sp2-utils

Description:

transitional package

Latest version: 3.0.4+dfsg1-1ubuntu0.2
Release: focal (20.04)
Level: security
Repository: universe
Head package: shibboleth-sp
Homepage: http://shibboleth.net/

Links


Download "shibboleth-sp2-utils"


Other versions of "shibboleth-sp2-utils" in Focal

Repository Area Version
base universe 3.0.4+dfsg1-1build1
updates universe 3.0.4+dfsg1-1ubuntu0.2

Changelog

Version: 3.0.4+dfsg1-1ubuntu0.2 2021-07-20 03:06:19 UTC

  shibboleth-sp (3.0.4+dfsg1-1ubuntu0.2) focal-security; urgency=high

  * SECURITY UPDATE: Session recovery feature contains a null pointer
    deference (LP: #1926250)
    - debian/patches/SSPCPP-927-Check-for-missing-DataSealer-during-cookie-
      rec.patch: Check for missing DataSealer during cookie recovery
    - https://shibboleth.net/community/advisories/secadv_20210426.txt
    - https://issues.shibboleth.net/jira/browse/SSPCPP-927
    - CVE-2021-31826

 -- Etienne Dysli Metref <email address hidden> Thu, 10 Jun 2021 11:30:02 +0200

Source diff to previous version
1926250 CVE-2021-31826: Session recovery feature contains a null pointer deference
CVE-2021-31826 Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploita

Version: 3.0.4+dfsg1-1ubuntu0.1 2021-04-22 23:06:18 UTC

  shibboleth-sp (3.0.4+dfsg1-1ubuntu0.1) focal-security; urgency=high

  * SECURITY UPDATE: Fix a phishing vulnerability: Template generation
    allows external parameters to override placeholders (LP: #1919419)
    - debian/patches/SSPCPP-922-Add-externalParameters-option-to-Errors-
      element.patch: Add externalParameters option to Errors element
    - https://shibboleth.net/community/advisories/secadv_20210317.txt
    - https://issues.shibboleth.net/jira/browse/SSPCPP-922
    - CVE-2021-28963

 -- Etienne Dysli Metref <email address hidden> Thu, 18 Mar 2021 12:22:53 +0100

1919419 Phishing vulnerability: Template generation allows external parameters to override placeholders
CVE-2021-28963 Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.



About   -   Send Feedback to @ubuntu_updates