Begin forwarded message:

From: "Cantor, Scott via announce" <announce@shibboleth.net>

Subject: Shibboleth Service Provider Windows Service Release

Date: 8 February 2023 at 15:03:47 CET

To: "announce@shibboleth.net" <announce@shibboleth.net>

Cc: "Cantor, Scott" <cantor.2@osu.edu>

Reply-To: users@shibboleth.net

A service patch to the SP Windows installer (V3.4.1.1) is now available. This patch includes an updated version of OpenSSL to address a set of security vulnerabilities disclosed yesterday. While the SP is likely not greatly (if at all) at risk, at least one of them was quite nasty so I updated it as a precaution.

The patch release is available from the usual location. [1]

The Release Notes [2] also highlight the fact that it's a strong suggestion at this point for any SP deployments to make sure the PKIX TrustEngine support is disabled, as it is essentially unused at this point but was left enabled implicitly for compatibility. Including it adds a lot of unnecessary attack surface and turning it off is a simple matter.

-- Scott

[1] http://shibboleth.net/downloads/service-provider/latest/
[2] https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335693/


--
To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net