Uppdateringen av Shibboleth som kom förra veckan var ett par viktiga säkerhetsuppdatering och det är rekommenderat att uppdatera så snart som möjligt. Pål From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Scott Cantor via announce Sent: Wednesday, May 13, 2026 10:09 PM To: announce(a)shibboleth.net Cc: Scott Cantor <scott(a)restingparrotsoftware.com> Subject: Shibboleth Identity Provider Security Advisory [13 May 2026] OpenPGP meddelande Vänta medan meddelandet verifieras... Shibboleth Identity Provider Security Advisory [13 May 2026] The Shibboleth Identity Provider has, for some time, included a library known as "JavaMail", more recently "JakartaMail", used by the Logback logging library to support sending log output via SMTP mail. A vulnerability in this library, while not deemed critical in its own right, has led us to make the unusual decision to remove this library from the IdP distribution due to the risk of a more serious vulnerability in the future. The Jakarta Mail vulnerability was recorded as CVE-2025-7962. Injection vulnerability in SMTP Library included with IdP ========================================================= The Shibboleth Identity Provider dating back to at least V3.0 includes a library not used by the IdP itself but present to support an optional Logback feature, an SMTP Appender [1] that supports log output via SMTP. It is typically used in conjunction with a filter to limit the use of the feature to specific log messages of particular import. The version of the library shipped with recent versions of the IdP includes a vulnerability, CVE-2025-7962, that allowed for SMTP injection based on specially crafted log messages. The most likely vector for exploit would involve logging that can be influenced by user input. Because we believe this feature is very little used and because we are more concerned about the possibility of future exploits that could be more serious, we have taken the step of removing this library from a patch release of the IdP and will not be replacing it with a fixed version. Recommendations =============== Update to V5.2.2 (or later) of the Identity Provider software. If making use of the Logback SMTP Appender feature, inject a fixed version of the Jakarta Mail library via the IdP's "edit-webapp" customization mechanism and rebuild the IdP. See [2] for the project's home page. The self-contained version of the library that corrects the specific CVE reported is V2.0.2; note that this is true despite the official CVE claiming otherwise. Newer versions (V2.1.x) have a separate implementation jar along with the original API jar. Refer to their documentation for specifics. Notably, use this feature at your own risk. We as a project do not consider it wise to include an SMTP implementation on the class path given the risk of a more serious issue causing exfiltration vulnerabilities. Credits ======= Philip Brusten [1] https://logback.qos.ch/manual/appenders.html#SMTPAppender [2] https://jakartaee.github.io/mail-api/ URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20260513b.txt