Hej,

Här kommer en säkerhetsbulletin från Shibboleth. Björn skickade ut förra veckan.

Pål


Från: announce <announce-bounces@shibboleth.net> för Cantor, Scott via announce <announce@shibboleth.net>
Skickat: den 20 mars 2024 13:47
Till: announce@shibboleth.net <announce@shibboleth.net>
Ämne: Shibboleth Identity Provider Security Advisory [2024-03-20]
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Identity Provider Security Advisory [20 March 2024]

CAS service URL handling vulnerable to Server-Side Request Forgery
==================================================================
The Identity Provider's CAS support relies on a function in the
Spring Framework to parse CAS service URLs and append the ticket
parameter. Spring published an advisory regarding this function
and re-opened the advisory again after their latest release. [1]

Updates for both supported branches of the IdP are being provided
to update the Spring Framework version to address the issue.

Those not using the IdP's CAS protocol support are not impacted
by this issue, though all are encouraged to upgrade at their next
opportunity.

Affected Versions
=================
The Spring Framework bug is found in the versions outlined by
their advisory [1].

This implicates Identity Provider versions < 5.1.1 and < 4.3.2
when CAS is in use.

Recommendations
===============
Upgrade to Identity Provider V5.1.1 or later.
Upgrade to Identity Provider V4.3.2 or later (once available).

References
==========
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20240320.txt

[1] https://spring.io/security/cve-2024-22259

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmX61gAACgkQN4uEVAIn
eWLhCw/+JnhlEOBaiY+kah3LvDRa19lcAP07KEieQSvAJF5MQ9UsQlbNKdU6UgP8
EvxoSdUb0XEKe3/NSgqtkCdyPDAY3HU+9cmNYOQaw2EemFynKFACeRQctkLTUdTl
C1gdOH9dORH4HCqMMYyXoXfeX+AK4vTh2SUb53K0N/cOg4SWvNB52G7HPzhu0RIU
bOgxTX19DAwbQlcKmO9SguBjw8Ud8r/zmaS3YG4yWRs0cxwd3n4H3vKBPe2dJJk7
eJyeuiY0t3Ogaj4aII1ireaJTTubFRXGbVTejwgKGFpL4YvOaUswjxHqtnNJTuBC
l3d3gaev/kEbg0WJvUD9N2uNQ7WffCY6pJXKQeCR0mHDHG8YiZVj06Jgo+FDJRye
wJnmGP71GoC72BfQawL5tHqZf0r7DmrEY1Xs6Tq5cNlKsyIqb0Md1fcYgQJejsbX
HUbAWUHvetGoDoQk47j1OfkX7LhEU364j/7cnYjjqmmptuoXXQaPAHBDirNFjHM+
DNQ2WDGVUfiUd1aLY1U7UF/9RbB0v/VaOjPg9ExzWN6EooQsaTJfRWyMWMx+dpsF
A/wE6G/up/taaDvVuMvVlKNs/Ue0U2Ew6NfZqHWk00MrUeNSnukvMGqY0/YAWFu+
aB+elhr4prT24Q4c8m0WzVldFhavkSNrt3UVRnRk1KRQy7WfbAE=
=gO7B
-----END PGP SIGNATURE-----


--
To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net