If you have a software issue that you wish to report, search the existing issue list to see if someone has already reported it. If you don’t find your problem listed, submit a new issue report.

Requests for specific feature enhancements are entered into our issue database as well.

The Shibboleth Team will release security advisories as vulnerabilities are identified. We encourage Shibboleth users to contact us with security concerns. Report security concerns by sending email to the project team.

Security Advisories for Shibboleth 2.x

• 24-Oct-2011: Use of XML Encryption Vulnerable to Chosen Ciphertext Attacks
  • The use of XML Encryption in conjunction with SAML 2.0 in current versions of Shibboleth is impacted by a recently disclosed flaw in the encryption standard. This advisory discusses the implications of this flaw and provides advice to deployers.
• 25-Jul-2011: OpenSAML software is vulnerable to XML Signature wrapping attacks
  • SP, version 2.4.3, assists in the distribution of the fix for this issue. The actual fix is in OpenSAML-C V2.4.3. IdP, version 2.3.2, includes the fix for this issue. The actual fix is in OpenSAML-J V2.5.1
• 18-Jul-2011: Shibboleth IdP Mult-Session Information Leakage
• 6-Jul-2011: Shibboleth SP software crashes on large signing/encryption keys
  • SP, version 2.4.3, assists in the distribution of the fix for this issue. The actual fix is in Apache XML Security for C++ V1.6.1
• 16-May-2011: Shibboleth IdP 2.X Velocity templates vulnerable to XSS (cross-site scripting) injection
  • IdP, version 2.3.0, addresses this issue.
• 13-Jan-2011: Shibboleth IdP 2.X Single TransientID Mapped to Multiple Principals
  • An updated version of a library provided with the Shibboleth 2.x Identity Provider software is now available which corrects a security issue.
• 1-Apr-2010: [REPOST] Shibboleth 2 IdP Error Page Vulnerable to Cross-site Request Attack
  • This issue was reposted as a new way to cause a cross-site request attack on the error page was discovered.
• 4-Nov-2009: Shibboleth IdP and SP software improperly handles malformed URLs
  • An updated version of a library provided with the Shibboleth 1.3 and 2.x Identity and Service Provider software is now available which corrects a security issue.
• 26-Aug-2009: Shibboleth SP software improperly handles malformed URLs
  • An updated version of a library provided with the Shibboleth 2 Service Provider software is now available which corrects a security issue.
• 17-Aug-2009: Shibboleth SP software improperly handles certificate names
  17-Aug-2009: Shibboleth SP software improperly evaluates KeyDescriptors
  • An updated version of the Shibboleth 2 Service Provider software is now available which corrects a pair of security issues.
• 19-Jun-2009: Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPs
  • This possible attacks requires that hosts properly restrict access to the communication ports used within the IdP cluster.
• 15-Jun-2009: Shibboleth SP software on IIS vulnerable to header spoofing
  • An updated version of the Shibboleth 2 Service Provider software is now available which corrects a security issue, but some application remediation may be required.
• 24-Feb-2009: Shibboleth 2 IdP Error Page Vulnerable to Cross-site Request Attack
  • Instructions for mitigating this attack are included in the announcement and a formal fix will be present in release 2.2.0
• 03-Nov-2008: Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request Attack
  • An updated version of the Shibboleth 2.0 Identity Provider software is now available which corrects a security issue.

Security Advisories for Shibboleth 1.3.x and earlier

• 26-Aug-2009: Shibboleth SP software improperly handles malformed URLs
  • An updated version of the Shibboleth 1.3 Service Provider software is now available which corrects a security issue.
• 17-Aug-2009: Shibboleth SP software improperly handles certificate names
  17-Aug-2009: Shibboleth SP software improperly evaluates KeyDescriptors
  • An updated version of the Shibboleth 1.3 Service Provider software is now available which corrects a pair of security issues.
• 15-Jun-2009: Shibboleth SP software on IIS vulnerable to header spoofing
  • An updated version of the Shibboleth 1.3 Service Provider software is now available which corrects a security issue, but some application remediation may be required.
• 23-Oct-2007: Shibboleth IdP software vulnerable to AuthenticationMethod spoofing
  • An updated version of the Shibboleth 1.3 Identity Provider software is now available which corrects a security issue.
• 02-Oct-2006: Shibboleth SP software vulnerable to alternate URL encodings
  • Updated versions of the Shibboleth 1.3 and 1.2.1 Service Provider software are now available which correct a security issue.
• 18-Jun-2006: Shibboleth SP software vulnerable to header spoofing
  • Updated versions of the Shibboleth 1.3 and 1.2.1 Service Provider software are now available which correct a security issue.
• 9-Jan-2006: Error templates vulnerable to XSS (cross-site scripting) injection
  • Updated versions of the Shibboleth Service Provider software are now available which correct a security issue.
• 8-Nov-2005: Lazy session mechanism vulnerable to header spoofing
  • Updated versions of the Shibboleth 1.3 Service Provider software are now available which correct a security issue.
• 14-Dec-2004: Insufficient protection against "scope" spoofing
  • Updated versions of the Shibboleth Service Provider software are now available which correct a security issue.
• 4-Aug-2004: Incorrect SAML request/response correlation
  • Updated versions of the Shibboleth Service Provider software are now available which correct a security issue.