Shibboleth Service Provider Security Advisory [4 August 2004] Updated versions of the Shibboleth Service Provider software are now available which correct a security issue: Incorrect SAML request/response correlation =============================================== Bugs in OpenSAML and libcurl through at least 7.10.8 combine to result in a possibility of SAML SOAP request messages being correlated to a SOAP response sent earlier over the same HTTP connection. See http://www.opensaml.org/secadv/secadv_20040804.txt for more information about this issue. The Shibboleth Service Provider software uses OpenSAML to issue SAML queries to the Attribute Authority provided as part of the Shibboleth System. The correlation bug can cause a critical security exposure if a timeout condition in the "shar" service is triggered due to a delay in receiving a response. If Keep-Alives are enabled with that AA, OpenSAML sometimes fails to close the connection and may associate a later query with a response sent by the AA in response to the original timed-out query. The bug can thus cause attributes returned by an AA to be associated with the wrong user session. All versions of OpenSAML included with Shibboleth releases from 1.1 to 1.2 inclusive are potentially affected by this issue. However, the OpenSAML documentation accompanying Shibboleth 1.2 advises the use of a new enough version of libcurl (7.11.1) to mitigate the possibility of the bug occurring. The binaries shipped for Windows with 1.2 also include this version. Therefore sites running 1.2 (and a libcurl at least as new as 7.11.1) are not immediately affected, but should upgrade at their earliest convenience. Recommendations --------------- Verify that the curl/libcurl version in use is at least 7.11.1. Upgrade to the latest patched releases of OpenSAML, per the security advisory here: http://www.opensaml.org/secadv/secadv_20040804.txt For those building Shibboleth 1.1 or 1.2 from source, replacing the version of "libsaml.so" in your installed system will correct the problem. You DO NOT need to rebuild Shibboleth itself, and no configuration changes are needed. For users running Windows, a new package and post-install set for version 1.2 has been created and is available at the download site: http://wayf.internet2.edu/shibboleth/ The distribution file names are: o win32/shibboleth-1.2-win32.exe GPG: shibboleth-1.2-win32.exe.asc o win32/shibboleth-1.2-win32-postinstall.zip GPG: shibboleth-1.2-win32-postinstall.zip.asc The postinstall archive can be used to replace the updated files in an installed version. All files updated since the original release of version 1.2 are included. Credits ------- Patches for these issues were created by Scott Cantor, (cantor.2@osu.edu), the principal developer. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20040804.txt