Your message dated Sun, 07 Sep 2025 16:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1114506: fixed in shibboleth-sp 3.5.0+dfsg-2+deb13u1
has caused the Debian Bug report #1114506,
regarding shibboleth-sp: SQL injection vulnerability in Service Provider ODBC
plugin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1114506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114506
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shibboleth-sp
Version: 3.4.1+dfsg-2
Severity: grave
Tags: upstream patch security fixed-upstream
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-1014
Shibboleth Service Provider Security Advisory [3 September 2025]
An updated version of the Shibboleth Service Provider is available
to correct a SQL injection vulnerability in the ODBC StorageService
extension shipped with some distributions of the software.
The vulnerability is moderate to high severity for anyone using
the ODBC plugin, and of no impact for others.
SQL injection vulnerability in Service Provider ODBC plugin
===========================================================
The Shibboleth Service Provider includes a storage API usable
for a number of different use cases such as the session cache,
replay cache, and relay state management. An ODBC extension
plugin is provided with some distributions of the software
(notably on Windows).
A SQL injection vulnerability was identified in some of the
queries issued by the plugin, and this can be creatively
exploited through specially crafted inputs to exfiltrate
information stored in the database used by the SP.
Recommendations
===============
Update to V3.5.1 (or later) of the Shibboleth Service Provider,
or if you cannot, then migrate off of the ODBC storage
plugin/extension.
Restarting the shibd process is sufficient to apply the change,
as the affected code runs only within that process.
Credits
=======
SEC Consult Vulnerability Lab
Florian Stuhlmann
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20250903.txt
--- End Message ---
--- Begin Message ---
Source: shibboleth-sp
Source-Version: 3.5.0+dfsg-2+deb13u1
Done: Ferenc Wágner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated shibboleth-sp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Sep 2025 11:46:12 +0200
Source: shibboleth-sp
Architecture: source
Version: 3.5.0+dfsg-2+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 1114506
Changes:
shibboleth-sp (3.5.0+dfsg-2+deb13u1) trixie-security; urgency=high
.
* [627cc27] New patch: SSPCPP-1014 - Extend escaping in strings.
Fix SQL injection vulnerability in Service Provider ODBC plugin:
specially crafted inputs can exfiltrate information stored in the
database used by the SP. The vulnerability is moderate to high
severity for anyone using the ODBC plugin, and of no impact for others.
Thanks to Scott Cantor (Closes: #1114506)
Checksums-Sha1:
801b5e56ba9c6fa842e9f1bf81b2754bc0425ddc 2862
shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc
20daf89c8c6400e43e2fee1fcfa80bdc2c51b608 653360
shibboleth-sp_3.5.0+dfsg.orig.tar.xz
5e985b44fb8c31821320c1be57e9cc4f6d867e84 41452
shibboleth-sp_3.5.0+dfsg-2+deb13u1.debian.tar.xz
48291bf927a3765aa6eb40e6aa5d4da8bb731607 14993
shibboleth-sp_3.5.0+dfsg-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
c9cc627fe3d77d40328aa73f1fbd34a47f23ff63ced5c82488fbbc7728dc8ed6 2862
shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc
d01e728167343c7f19ceb754fcd26f00d7d6260f28c2e47752055f4eb2d668ee 653360
shibboleth-sp_3.5.0+dfsg.orig.tar.xz
38a28689c7e3a0f35b0c2c9469531b69de02e88cf2f9b1480e68b1277372e71e 41452
shibboleth-sp_3.5.0+dfsg-2+deb13u1.debian.tar.xz
4a8ac6c5a734869031e8057db175f892d6f86ba57f713700fbf703db29465f82 14993
shibboleth-sp_3.5.0+dfsg-2+deb13u1_amd64.buildinfo
Files:
8d70bdcef886e34b5a68012a727e819d 2862 web optional
shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc
680480c6b9a94b6c0ebc69d55113e83b 653360 web optional
shibboleth-sp_3.5.0+dfsg.orig.tar.xz
6adc4dcb49c76bfc38cf5bf16bef4e81 41452 web optional
shibboleth-sp_3.5.0+dfsg-2+deb13u1.debian.tar.xz
3f9751b04d9e401c29146134fd57b877 14993 web optional
shibboleth-sp_3.5.0+dfsg-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmi8CmwACgkQOsj3Fkd+
2yMKoQ/+KhvRLkAkIWnIaS9paPFagJz1qnjXg7vrXsng5Mbb7vYVNXjfNNeI+dWF
heIBB3XwHKcy87UHsywIsBBENvlSnS9b8tO3sqMnhhpIQzGNR9tfBOMa/7o2VLWZ
vkibYHSaNmwwyr/3oM1KRH3Kop4eMaw8vseT0AgDCom4I01D3qbuqdaWyGiDSJwK
o8D9xVBvPH6ETB2x43viozT3MD/OzQAlJQPSHJy3f7lEinEdgBzUL0bx4d49j03A
m8wOLZn+Tae+NqR64OGiZ2iIbnYT6OBgHpn8tDlsxRbu2rS7o5dN3HFC9xP31aGE
139ZOALR36WWyyiX8hsArjk9JvtkRZAgd39/uDZJeQ+yAxXI3M3lkZ7KsddlozOS
km95NQEaivGy73PH12GLvgY9xY/MOvxoKISZbj2wFHZtzVNv6OYdU6t257y2U+hM
vFD5kqT/PF7zzgol1WnVicd47t6zDqEVVX/BwXBiscloWBavq0t1vts5zfM5qnf9
0YT6zMvTuZZnT+qhjx/3gzc5vo9NkMvt447C0sGfJSuH5GdxVmdT8v8Iu9zqsc1j
KA9Udp6qGYYkFTrX40cT/8W/qwzKPQASr2AirPFwbPYkJNTtrXivUNmNQrxFOZdf
4dBGzUbzfiNHT2oNbkLvrzNDMR4WwYkKJ0D7Lu83SZpSyc1mrFs=
=Baj8
-----END PGP SIGNATURE-----
pgpvK78wKFOpC.pgp
Description: PGP signature
--- End Message ---
