Hi Ferenc, On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc Wágner wrote: > Source: shibboleth-sp > Version: 3.0.2+dfsg1-1 > Severity: important > Tags: upstream patch security > Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927 > > Shibboleth Service Provider Security Advisory [26 April 2021] > > An updated version of the Service Provider software is now > available which corrects a denial of service vulnerability. > > Session recovery feature contains a null pointer deference > ====================================================================== > The cookie-based session recovery feature added in V3.0 contains a > flaw that is exploitable on systems *not* using the feature if a > specially crafted cookie is supplied. > > This manifests as a crash in the shibd daemon/service process. > > Because it is very simple to trigger this condition remotely, it > results in a potential denial of service condition exploitable by > a remote, unauthenticated attacker. > > Versions without this feature (prior to V3.0) are not vulnerable > to this particular issue. > > Recommendations > =============== > Update to V3.2.2 or later of the Service Provider software, which > is now available. > > In cases where this is not immediately possible, configuring a > DataSealer component in shibboleth2.xml (even if used for nothing) > will work around the vulnerability. > > For example: > > <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" /> > > This workaround is only possible after having updated the > core configuration to the V3 XML namespace. > > Other Notes > =========== > The cpp-sp git commit containing the fix for this issue is > 5a47c3b9378f4c49392dd4d15189b70956f9f2ec > > > URL for this Security Advisory: > https://shibboleth.net/community/advisories/secadv_20210426.txt
Raising the severity to RC as I think this should go into bullseye and the fix is targetted possible. Let me though know if you disagree on this. Regards, Salvatore
