Versions Compared

Old Version 22

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 23

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
Tip

This is the advisory page for Identity Provider V4 releases. For the older V3 IdP's advisories, please refer to the V3 IDP SecurityAdvisories page.

For the SP, please refer to V3 SP SecurityAdvisories page.

As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html

...

The oldest IdP 4 version unaffected by fixable vulnerabilities is 4.0.0

Version

EOL

User Data Exposure

User Data Accuracy

Session Hijacking

Denial of Service

Remote Exploit

Advisories

All


X

X



X

2018-01-23, 2017-05-18

4.1.4








4.1.2

Jul 2021







4.1.0

May 2021







4.0.1

Mar 2021







4.0.0

Jun 2020







Advisory List

Date

Title

Affects

Severity

CVE

2018-01-23

Implications of ROBOT TLS vulnerability

All

high


2017-05-18

Default Kerberos configurations are unsafe

All

high


Library Issues

Because we have relatively infrequent releases and a strict versioning policy, it is not rare that we ship third-party libraries that may contain unfixed vulnerabilities when those issues are believed to be non-impactful. This is often due to timing; for example, we may be unable to adequately test a new version of something in time to include it in a release and may determine that the less risky course is to stay on an older version. Alternatively, it may be impossible to update something because of the API changes required, since many projects do not adhere to semantic (or any) versioning.

In the event that we ship releases known to, or that we subsequently discovery to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.

V4.1.3

  • Guava (any) (CVE-2020-8908)

    • We don't use the affected, deprecated function, and there is no fix for the issue.

  • Ant (1.10.10) (CVE-2021-36373, CVE-2021-36374)

    • Ant is only used during installations, but downloaded packages should always be verified via GPG signature. Plugin installation automatically verifies signatures unless forcibly overridden. We will update the dependency at the next patch opportunity.

  • Commons Compress (1.20) (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

    • See Ant note.

  • log4j-over-slf4j (1.7.30) (CVE-2020-9488)

    • Issue affects non-default SMTP logging functionality. We will update the dependency at the next patch opportunity if feasible (the logging stack has a lot of interdependencies).