Debian Security Advisory
DSA-4038-1 shibboleth-sp2 -- security update
- Date Reported:
- 16 Nov 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 881857.
In Mitre's CVE dictionary: CVE-2017-16852.
- More information:
Rod Widdowson of Steading System Software LLP discovered a coding error in the
Dynamicmetadata plugin of the Shibboleth Service Provider, causing the plugin to fail configuring itself with the filters provided and omitting whatever checks they are intended to perform.
See https://shibboleth.net/community/advisories/secadv_20171115.txt for details.
For the oldstable distribution (jessie), this problem has been fixed in version 2.5.3+dfsg-2+deb8u1.
For the stable distribution (stretch), this problem has been fixed in version 2.6.0+dfsg1-4+deb9u1.
We recommend that you upgrade your shibboleth-sp2 packages.