[SECURITY] [DLA 2599-1] shibboleth-sp2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2599-1] shibboleth-sp2 security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Fri, 19 Mar 2021 04:42:10 +0530
Message-id: <[🔎] CAPP0f95fPjxpfpOF_0xZoErGmhXp0nUrpMoZsqsijLnAWXGr2w@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2599-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
March 19, 2021                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : shibboleth-sp2
Version        : 2.6.0+dfsg1-4+deb9u2
CVE ID         : not yet available
Debian Bug     : 985405

Toni Huttunen discovered that the Shibboleth service provider's template
engine used to render error pages could be abused for phishing attacks.

For additional information please refer to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20210317.txt

For Debian 9 stretch, this problem has been fixed in version
2.6.0+dfsg1-4+deb9u2.

We recommend that you upgrade your shibboleth-sp2 packages.

For the detailed security status of shibboleth-sp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shibboleth-sp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmBT3hwACgkQgj6WdgbD
S5Z1tw/9GKE6ptM+ZVOzgspwoYw+ga4DdMepDqCRvFc02SOcrz+qyFM53FuzngZ9
v44iPDVfh6qEIVinhNXk2Kc67EQEFsWXGW0382rSSiX52kehSd5W+yfSQVEvrnXN
/1wv3Iv3v1ae7liFPpI+74mwZTK6m5QulDXPJek1FBxeY8xaAfkjzLqgNdtgYibv
eWGZ4P4Rte//xdkolnPzvqyOCFYBOKto9hQYJgz7zmVWTy5dW3V83c9OT1N7DgTW
Vei+bAtTU1SIpCdm7B032tzOMC3Vl0pmgE09Hzkf+mEIEglNW45dxhIyF8BXY+QS
wPCuQZ/GKWYyMgHLpEdXi1CXTFB9hIXWHYgavroKdDiVXypv9SNZjdYTgyLfQUZz
iW8nCMgmWiJp9V1Xd4ZsK8THjIdbwckLhPaUW6CPVj7c9i/xiO7DX1bhb0Ncp+EC
17bq+2P00RQndXBPLu7KY/JqRxaZ5xWFbvIhZNyvBE20XYm4mVLXPwUcrDRxsf2v
zZR8ilqYu9EQEZtsU87VzCfr3a+BrQ69/NOjvCayfKF2ezHp20jatb/IQlcelG/B
6l9JSLrSsurOciudWsOZzKGxOHzmtgLveqXiUh/hgl8eIm4UeWkI/tAr7BwMTbYP
2lrKxmYTCJ9YP1NiU1cH/4KlwZbLZ2QBYAlohiNVD3jCxka2uCY=
=s8XL
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2598-1] squid3 security update
Next by Date: [SECURITY] [DLA 2600-1] pygments security update
Previous by thread: [SECURITY] [DLA 2598-1] squid3 security update
Next by thread: [SECURITY] [DLA 2600-1] pygments security update
Index(es):
- Date
- Thread