Scheduled maintenance reminder from Sunet Status
Title: Maintaince on metadata servers
Details: Maintenance will be carried out on mds.swamid.se to prepare for future MDQ.
No planned downtime, but disruptions may occur.
Affected Infrastructure:
Components: SWAMID
Locations: Metadata Freshness - IdP transitive, Metadata Freshness - SP transitive, Metadata Freshness - SWAMID 2.0, Metadata Freshness - eduGAIN export
Planned Start: April 3, 2023 10:30 CEST
Expected End: April 3, 2023 15:00 CEST
Status Page: https://status.sunet.se
--
Manage subscription: https://status.sunet.se/pages/subscriber/manage/5f4784a4bc7fae04c8359fc5/63…
Scheduled maintenance reminder from Sunet Status
Title: Maintaince on metadata servers
Details: Maintenance will be carried out on mds.swamid.se to prepare for future MDQ.
No planned downtime, but disruptions may occur.
Affected Infrastructure:
Components: SWAMID
Locations: Metadata Freshness - IdP transitive, Metadata Freshness - SP transitive, Metadata Freshness - SWAMID 2.0, Metadata Freshness - eduGAIN export
Planned Start: April 3, 2023 10:30 CEST
Expected End: April 3, 2023 15:00 CEST
Status Page: https://status.sunet.se
--
Manage subscription: https://status.sunet.se/pages/subscriber/manage/5f4784a4bc7fae04c8359fc5/63…
> -----Original Message-----
> From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Cantor,
> Scott via announce
> Sent: Thursday, March 30, 2023 5:28 PM
> To: announce(a)shibboleth.net
> Subject: Shibboleth Identity Provider V4.3.1 now available
>
> The Shibboleth Project has released V4.3.1 of the Identity Provider
software,
> primarily to address a regression in the RemoteUser login flow [1][2].
>
> A security advisory will be forthcoming about the issue., though the
risk in
> practice is not viewed as significant.
>
> The issue does not affect releases prior to V4.3.0.
>
> -- Scott
>
> [1] http://shibboleth.net/downloads/identity-provider/latest/
> [2] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631499
För kännedom...
Pål
> -----Original Message-----
> From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Cantor,
> Scott via announce
> Sent: Thursday, March 30, 2023 5:29 PM
> To: announce(a)shibboleth.net
> Subject: Shibboleth Identity Provider Security Advisory [30 March 2023]
>
> Shibboleth Identity Provider Security Advisory [30 March 2023]
>
> Regression in RemoteUser login flow could lead to impersonation
> ===============================================================
> A regression was introduced into the RemoteUser login flow in
> the Shibboleth Identity Provider software allowing the use of
> a fixed header name to supply the REMOTE_USER value to use.
> In the absence of an actual REMOTE_USER variable or any
> configured servlet request attributes, the code would fall back
> to using a "fixed" header variable name instead of honoring the
> configured set of headers to look at.
>
> Given that this would be immediately obvious while using the
> software (since it would be unable to obtain a value to use and fail),
> it is unlikely this would escape notice, but there is the theoretical
> chance of an unguarded header being accepted as the identity.
>
> Deployments that do not make use of this login flow are unaffected
> (despite the fact that the servlet containing the regression is
> generally active by default).
>
> Affected Versions
> =================
> Version 4.3.0 only of the Identity Provider, when using the
> RemoteUser login flow, either directly, or indirectly via the MFA
> login flow feature.
>
> Recommendations
> ===============
> Upgrade to Identity Provider V4.3.1 or later.
>
> References
> ==========
> URL for this Security Advisory
> http://shibboleth.net/community/advisories/secadv_20230330.txt
>
> Credits
> =======
> Tero Marttila, Funidata Oy
Hej SAML-vänner!
Måndag 3 april med start klockan 10.30 kommer det genomföras underhåll på mds.swamid.se för att förbereda inför framtida MDQ.
Ingen planerad nertid men störningar kan förekomma.
--
jocar
SWAMID Operations
Hej,
Har du anmält dig <https://www.sunetdagarna.se> till Sunetdagarna? Den
18–20 april träffas vi på Mälardalens universitet, Campus Eskilstuna, för
några fullmatade dagar om IT-infrastruktur och digitala tjänster för högre
utbildning och forskning. Programmet finns på www.sunetdagarna.se.
Några av de ämnen som tas upp är:
- Digitalt campus
- Mänskliga reaktioner i extrema situationer
- AI för effektivt lärande
- EU:s digitala identitetsplånbok
- Projektet “Studentens digitala resa”
- Sunet datacenter för framtiden
- Öppna digitala resurser för studenters lärande
- Nätverkautomation och IT-säkerhet
- Polar Connect – robust nätanslutning via Arktis
- Badges och Microcredentials
- Vad är Sunet?
- Digital pedagogisk kompetens
Anmäl dig på www.sunetdagarna.se. Platserna är begränsade så vänta inte för
länge!
Pål
---------- Forwarded message ---------
Från: Cantor, Scott via announce <announce(a)shibboleth.net>
Date: mån 13 mars 2023 19:51
Subject: Shibboleth Service Provider for Windows V3.4.1.2 available
To: announce(a)shibboleth.net <announce(a)shibboleth.net>
Another patch/service update to the Windows installer for the Service
Provider is available, addressing a security issue in zlib, which is
packaged as part of the software. The issue was disclosed last year but was
overlooked at the time.
I am not aware of any exploits for the issue but am providing the update
out of caution.
-- Scott
--
To unsubscribe from this list send an email to
announce-unsubscribe(a)shibboleth.net
