Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
carnil at debian.org
Mon Apr 26 20:19:16 BST 2021
On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc Wágner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
> Shibboleth Service Provider Security Advisory [26 April 2021]
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
> Session recovery feature contains a null pointer deference
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
> This manifests as a crash in the shibd daemon/service process.
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth2.xml (even if used for nothing)
> will work around the vulnerability.
> For example:
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
> Other Notes
> The cpp-sp git commit containing the fix for this issue is
> URL for this Security Advisory:
Raising the severity to RC as I think this should go into bullseye and
the fix is targetted possible. Let me though know if you disagree on
More information about the Pkg-shibboleth-devel