If you have a software issue that you think is a bug, search the bug list (Shibboleth Bugzilla) to see if someone has already reported it. If you don’t find your problem listed, submit a bug report.

Requests for specific feature enhancements are entered into our bug database as well.

The Shibboleth Team will release security advisories as vulnerabilities are identified. We encourage Shibboleth users to contact us with security concerns. Report security concerns by sending email to the project team.

Security Advisories for Shibboleth 2.0

• None to date.

Security Advisories for Shibboleth 1.3 and earlier

• 23-Oct-2007: Shibboleth IdP software vulnerable to AuthenticationMethod spoofing
  • An updated version of the Shibboleth 1.3 Identity Provider software is now available which corrects a security issue.
• 02-Oct-2006: Shibboleth SP software vulnerable to alternate URL encodings
  • Updated versions of the Shibboleth 1.3 and 1.2.1 Service Provider software are now available which correct a security issue.
• 18-Jun-2006: Shibboleth SP software vulnerable to header spoofing
  • Updated versions of the Shibboleth 1.3 and 1.2.1 Service Provider software are now available which correct a security issue.
• 9-Jan-2006: Error templates vulnerable to XSS (cross-site scripting) injection
  • Updated versions of the Shibboleth Service Provider software are now available which correct a security issue.
• 8-Nov-2005: Lazy session mechanism vulnerable to header spoofing
  • Updated versions of the Shibboleth 1.3 Service Provider software are now available which correct a security issue.
• 14-Dec-2004: Insufficient protection against "scope" spoofing
  • Updated versions of the Shibboleth Service Provider software are now available which correct a security issue.
• 4-Aug-2004: Incorrect SAML request/response correlation
  • Updated versions of the Shibboleth Service Provider software are now available which correct a security issue.