| Tip |
|---|
This is the advisory page for Service Provider V3 releases. For older V2 SP advisories, refer to the V2 SecurityAdvisories page. |
This page provides access to the complete history of Security Advisories released for the Shibboleth V3 Service Provider and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast.
...
The oldest SP 3 version unaffected by fixable vulnerabilities is 3.2.2, (3.2.2.2 on Windows/IIS), but this version can be subject to random instability so V3.2.3 is strongly advised.
Version | EOL | User Data Exposure | Resource Exposure | Session Hijacking | Denial of Service | Remote Exploit | Advisories |
|---|---|---|---|---|---|---|---|
All | X | X | X | X | 2018-08-03, 2018-01-23, 2014-04-09, 2011-10-24 | ||
3.2.3 | |||||||
3.2.2 | Jul 2021 | 2021-06-22 | |||||
3.2.1 | Apr 2021 | X | 2021-04-26 | ||||
3.2.0 | Mar 2020 | X | 2020-03-17 | ||||
3.1.0 | Dec 2020 | X | 2020-08-31 | ||||
3.0.4 | Apr 2020 | X | |||||
3.0.3 | Mar 2019 | X | 2019-03-11 | ||||
3.0.2 | Dec 2018 | X | 2018-12-19a | ||||
3.0.1 | Aug 2018 | X | X | X | X | ||
3.0.0 | Jul 2018 | X |
Advisory List
Date | Title | Affects | Severity | CVE |
|---|---|---|---|---|
2021-06-22 | SP for Windows IIS7+ module < 3.2.2.2 | critical | ||
2021-04-26 | SP < 3.2.2 | moderate | ||
2020-03-17 | Template generation allows external parameters to override placeholders | SP < 3.2.1 | moderate | |
2020-08-31 | IIS module fails to trap exceptions raised by network socket failures | SP for Windows IIS7+ module < 3.1.0.2 | moderate | |
2019-03-11 | XML parser class fails to trap exceptions on malformed XML declaration | SP w/ libxmltooling < 3.0.4 | moderate | CVE-2019-9628 |
2018-12-19 | Shibboleth SP software crashes on malformed date/time content | SP < 3.0.3 | moderate | |
2018-08-03 | SP w/ libxml-security-c < 2.0.2 | high | ||
2018-01-23 | All | high | ||
2014-04-09 | SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f | very high | CVE-2014-0160 | |
2011-10-24 | Use of XML Encryption Vulnerable to Chosen Ciphertext Attacks | SP and IdP, all versions | moderate |