USN-4925-1: Shibboleth vulnerability
Publication date
22 April 2021
Overview
Shibboleth could be made to display malicious content.
Releases
Packages
- shibboleth-sp - Federated web single sign-on system
Details
Toni Huttunen and Fraktal Oy discovered that the Shibboleth Service
provider allowed content injection due to allowing attacker-controlled
parameters in error or other status pages. An attacker could use this to
inject malicious content.
Toni Huttunen and Fraktal Oy discovered that the Shibboleth Service
provider allowed content injection due to allowing attacker-controlled
parameters in error or other status pages. An attacker could use this to
inject malicious content.
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
Ubuntu Release | Package Version | ||
---|---|---|---|
20.04 focal | libapache2-mod-shib – 3.0.4+dfsg1-1ubuntu0.1 | ||
libshibsp-plugins – 3.0.4+dfsg1-1ubuntu0.1 | |||
libshibsp8 – 3.0.4+dfsg1-1ubuntu0.1 | |||
shibboleth-sp-common – 3.0.4+dfsg1-1ubuntu0.1 | |||
shibboleth-sp-utils – 3.0.4+dfsg1-1ubuntu0.1 |
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.