Versions Compared

Old Version 27

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 28

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

...

In the event that we ship releases known to, or that we subsequently discovery to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.

V4.1.

...

4

  • Guava (any) (CVE-2020-8908)

    • We don't use the affected, deprecated function, and there is no fix for the issue.

  • Ant (1.10.10) (CVE-2021-36373, CVE-2021-36374)

    • Ant is only used during installations, but downloaded packages should always be verified via GPG signature. Plugin installation automatically verifies signatures unless forcibly overridden. We will update the dependency at the next patch opportunity.

  • Commons Compress (1.20) (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

    • See Ant note.

  • log4j-over-slf4j (1.7.30) (CVE-2020-9488)

    • Issue affects non-default SMTP logging functionality. We will update the dependency at the next patch opportunity if feasible (the logging stack has a lot of interdependencies).

  • xmlsec (2.1.6) (CVE-2021-40690)

    • We don’t use the code involved in the vulnerability. We will update the dependency at the next patch opportunity.

  • Spring 5.3.x (CVE-2021-22096)

    • Spring’s description of the log injection issue is very vague but it appears to us to be very unlikely that it could ever be fully fixed by them (as opposed to some kind of mitigation within the logging library itself), so we don’t believe that whatever mitigations they’ve added are going to help a lot. We have thousands of logging statements that log all sorts of data, and we believe they are certainly vulnerable to manipulation in certain cases. The only alternative is not to log anything. The takeaway is “treat logs with a grain of salt”. We plan to update Spring in the next release to address the CVE.

...