Bug#881856: opensaml2: Dynamic MetadataProvider fails to install security filters (CPPOST-105)

Salvatore Bonaccorso carnil at debian.org
Wed Nov 15 20:06:09 UTC 2017

Source: opensaml2
Version: 2.5.3-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: clone -1 -2
Control: reassign -2 shibboleth-sp2 2.5.3+dfsg-2
Control: retitle -2 shibboleth-sp2: Dynamic MetadataProvider fails to install security filters (SSCPP-763)


As per https://shibboleth.net/community/advisories/secadv_20171115.txt
an issue affecting opensaml2 and shibboleth-sp2:

Hash: SHA512

Shibboleth Service Provider Security Advisory [15 November 2017]

An updated version of the Shibboleth Service Provider software
is available which corrects a critical security issue in the
"Dynamic" metadata provider plugin.

Deployers making use of the affected feature should apply the
relevant update at the soonest possible moment.

NOTE: CVEs for this issue are forthcoming from the Debian Project
and this advisory will be updated if and when they are obtained.

Dynamic MetadataProvider fails to install security filters
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of downloading
aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical
security checks such as signature verification, enforcement of validity
periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself
with the filters provided to it and thus omits whatever checks they are
intended to perform, which will typically leave deployments vulnerable
to active attacks involving the substitution of metadata if the network
path to the query service is compromised.

Affected Systems
All versions of the Service Provider software prior to V2.6.1 contain
this vulnerability.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of this feature until the upgrade is done.

Service Provider Deployer Recommendations
Upgrade to V2.6.1 or later of the Service Provider and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively.

For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you may consider building from source for your own use as an interim

The patch commit that corrects this issue can be found at [1].

Additional Recommendations for Federation Operators
Operators of metadata query services in support of this feature may
wish to consider implementing security checks after a suitable upgrade
window has elapsed to prevent use of affected versions or follow up
with deployers. The User Agent string in requests to the service
will contain the version of the software.

Note Regarding OpenSAML Library
An identical issue exists in the DynamicMetadataProvider class in
the OpenSAML-C library in all versions prior to V2.6.1. Applications
making direct use of this library must be independently updated to
correct this vulnerability, but this fix does not correct the issue
with respect to the use of the Shibboleth SP.

The patch commit that corrects the OpenSAML issue can be found at [2].

Rod Widdowson, Steading System Software LLP

[1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;

[2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;

URL for this Security Advisory:



There is though the statement that CVEs will be assigned by the Debian
project. This cannot be done, since the fix was already in the
repository when asked and a CVE needs to be assigned via the MITRE
primary CNA.

Fixes for oldstable and stable are pending and already prepared by
Ferenc Wágner.


More information about the Pkg-shibboleth-devel mailing list