...
The following represent new default settings and other significant configuration changes made since the 2.4.0 release.
Hostname Verification on Configuration Retrieval
IMPACT: high
This release corrects a bug similar to the one discovered in metadata retrieval noted below for 2.4.0, but that applies to the use of the HttpResource and FileBackedHttpResource types when used for remote access to configuration files (in service.xml) or with a ResourceBackedMetadataPovider in (relying-party.xml). This patch release enables hostname verification, prpvided that the disregardSslCertificate option is not enabled for metadata use, which as noted below, globally applies. In such cases, you should reconsider use of a remote access strategy for configuration files, or use a separate cron task to download updated files using a tool that does enforce proper checking.
SVN Support Now Requires Separate Download
...
After review, the project has determined that we are unable to distribute TMate's SVNKit software library, and have therefore been forced to remove it from the Shibboleth IdP distribution. As a result, deployers relying on the SVNResource type for access to configuration files (in service.xml) or for metadata with a ResourceBackedMetadataPovider in (relying-party.xml) cannot upgrade to this release without taking the additional step of downloading and adding the svnkit jar jars to thelib directory in the unpacked distribution before running the installation/upgrade script. The library and its dependencies can be obtained directly from http://svnkit.com/. Note that the latest versions are compatible only with newer subversion working copy formats and existing deployments may need to use the older 1.3 release that had been shipped with the software in the past, or update/remove their current working copies. We have not tested on anything past 1.3.
Shibboleth 2.4.0 Configuration Changes
...