Begin forwarded message: From: Philip Smart via announce &lt;announce(a)shibboleth.net&gt; Subject: WebAuthn plugin V1.4.2 now available Date: 20 May 2026 at 11:55:46 GMT+2 To: &quot;announce(a)shibboleth.net&quot; &lt;announce(a)shibboleth.net&gt; Cc: Philip Smart &lt;Philip.Smart(a)jisc.ac.uk&gt; Reply-To: users(a)shibboleth.net The Shibboleth Project has released version 1.4.2 of the WebAuthn authentication plugin. This patch release primarily updates the Yubico WebAuthn libraries to version 2.9.0, including a fix for a FIDO metadata parsing issue. Version 2.9.0 also resolves a regression we identified and reported in later releases of the Yubico library, which led to a high-severity impersonation vulnerability [1]. We were not affected by this issue and intentionally deferred upgrading until a fix was available. For full details, please refer to the release notes [2]. — Phil Smart, on behalf of the team [1] https://www.yubico.com/support/security-advisories/ysa-2026-02/ [2] https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3394928781/We… Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice -- To unsubscribe from this list send an email to announce-unsubscribe(a)shibboleth.net <mailto:announce-unsubscribe@shibboleth.net>