Your message dated Sat, 06 Sep 2025 19:51:41 +0000
with message-id <[email protected]>
and subject line Bug#1114506: fixed in shibboleth-sp 3.5.1+dfsg-1
has caused the Debian Bug report #1114506,
regarding shibboleth-sp: SQL injection vulnerability in Service Provider ODBC
plugin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1114506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114506
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shibboleth-sp
Version: 3.4.1+dfsg-2
Severity: grave
Tags: upstream patch security fixed-upstream
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-1014
Shibboleth Service Provider Security Advisory [3 September 2025]
An updated version of the Shibboleth Service Provider is available
to correct a SQL injection vulnerability in the ODBC StorageService
extension shipped with some distributions of the software.
The vulnerability is moderate to high severity for anyone using
the ODBC plugin, and of no impact for others.
SQL injection vulnerability in Service Provider ODBC plugin
===========================================================
The Shibboleth Service Provider includes a storage API usable
for a number of different use cases such as the session cache,
replay cache, and relay state management. An ODBC extension
plugin is provided with some distributions of the software
(notably on Windows).
A SQL injection vulnerability was identified in some of the
queries issued by the plugin, and this can be creatively
exploited through specially crafted inputs to exfiltrate
information stored in the database used by the SP.
Recommendations
===============
Update to V3.5.1 (or later) of the Shibboleth Service Provider,
or if you cannot, then migrate off of the ODBC storage
plugin/extension.
Restarting the shibd process is sufficient to apply the change,
as the affected code runs only within that process.
Credits
=======
SEC Consult Vulnerability Lab
Florian Stuhlmann
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20250903.txt
--- End Message ---
--- Begin Message ---
Source: shibboleth-sp
Source-Version: 3.5.1+dfsg-1
Done: Ferenc Wágner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated shibboleth-sp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Sep 2025 13:35:57 +0200
Source: shibboleth-sp
Architecture: source
Version: 3.5.1+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 1114506
Changes:
shibboleth-sp (3.5.1+dfsg-1) unstable; urgency=high
.
* Urgency set to high for security fix.
* [d265d78] New upstream release: 3.5.1 (Closes: #1114506)
Fix SQL injection vulnerability in Service Provider ODBC plugin:
specially crafted inputs can exfiltrate information stored in the
database used by the SP. The vulnerability is moderate to high
severity for anyone using the ODBC plugin, and of no impact for others.
* [059241e] Refresh our patches
* [5a80567] Update Standards-Version to 4.7.2 (no changes required)
* [9a8761b] New patch: Disable Doxygen's SHORT_NAMES to gain reproducibility
Checksums-Sha1:
a2097c7e499e4283fbf22045f699ee498c4173e3 2830 shibboleth-sp_3.5.1+dfsg-1.dsc
1bda807ad650e6a1db41cad80504739795fc9297 655940
shibboleth-sp_3.5.1+dfsg.orig.tar.xz
a29005281e0747f4719c8c1f99cced499959aac1 41460
shibboleth-sp_3.5.1+dfsg-1.debian.tar.xz
ab29f3df1b798bdff62cb7b1e8780004e42273d5 14952
shibboleth-sp_3.5.1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
faceb61801a5829f948f6036a8064c67d9a3f6ae214e05611c14bd2ae0da261d 2830
shibboleth-sp_3.5.1+dfsg-1.dsc
8d99e2632c3e940c8b9987b2b37e18d3146ce7833ee9fe8500ad77c0aa91705a 655940
shibboleth-sp_3.5.1+dfsg.orig.tar.xz
8a6f74b08969a5f1e7b50502de43bcc668241e8971235ecb25639754b523ab9e 41460
shibboleth-sp_3.5.1+dfsg-1.debian.tar.xz
4a6519be016b43e07694dd490d027571bbc86d6be4321a52b21f06f0bc48d5d1 14952
shibboleth-sp_3.5.1+dfsg-1_amd64.buildinfo
Files:
d345282942ad5b64242c56124a447422 2830 web optional
shibboleth-sp_3.5.1+dfsg-1.dsc
cfefca5abe3b4f604d5ad9e37bcc0634 655940 web optional
shibboleth-sp_3.5.1+dfsg.orig.tar.xz
0ead5c93c95af26fabd8bfa44b49b373 41460 web optional
shibboleth-sp_3.5.1+dfsg-1.debian.tar.xz
343a78bd3f3a013c2f993123eea198a6 14952 web optional
shibboleth-sp_3.5.1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmi8Hs0ACgkQOsj3Fkd+
2yMB6A/8DTiXw9nfi91JwXmXwSaXb/EsGK9iIYtfRZ7vKPF8CP41u79HwypfGzU6
RDt9VxJyLOZpVAqIeiOn38C4Mnifm5UlIToo2ltpOBoaMnmCLG3h+JnCzhCubPK1
QNvRb5WKljwXi5QM58IDaBUHBnPp+BjoOhondC5FEub1BQcMmSQm8QP90Ia7gwEy
E1uifgkXa50UwFca1VvIhBGPkNb5zuteEHFdAksZ2ZZ9xD+KCotQtbQC5J/13vR1
Vi3OFeLphK6PZzz5fZX8CNGqdLhbItcpyK0HeCtPC0/T6sSQbvSu05zFRyHVhdBN
yGZ8jFrPQCv5mmNfnbJUwxTmQjc8PGh7NGVQSDjwgOob5MaTLpm8Q6y0N4yZllvE
yMn1ug5KouLphbdpxvUmRT9omZEtvpaao4u0nDILSXZXfnckGny+icStJHWA+6Zs
sf+2b6cuNldwTsUxzMykjHA5zgpiMTXCFvvOptswB5hY+ifLhGxnEAuWwAhMMh07
b1EhMaJtESBTlg6am1YzMVgH8E7wyzYq8ulz6K55mH9XYYe2Sb+AX7JW5/n/iX/z
prRrvt/b7VR9YJhJS3xiCx9Oye2e/ZX7yT9lPJsIAuG3G7/Uo2Z/AugycU8CWc2C
4LcrPEc5rOyyfzkpsLe249/1pQERPN7p8oCeC1xVItN9BZtPPsA=
=DjM6
-----END PGP SIGNATURE-----
pgpgwvHbbjJ3Z.pgp
Description: PGP signature
--- End Message ---
