Matt Elder discovered that Shibboleth, a federated web single sign-on system is vulnerable to script injection through redirection URLs. More details can be found in the Shibboleth advisory at http://shibboleth.internet2.edu/secadv/secadv_20091104.txt. For the old stable distribution (etch), this problem has been fixed in version 1.3f.dfsg1-2+etch2 of shibboleth-sp. For the stable distribution (lenny), this problem has been fixed in version 1.3.1.dfsg1-3+lenny2 of shibboleth-sp, version 2.0.dfsg1-4+lenny2 of shibboleth-sp2 and version 2.0-2+lenny2 of opensaml2. For the unstable distribution (sid), this problem has been fixed in version 2.3+dfsg-1 of shibboleth-sp2, version 2.3-1 of opensaml2 and version 1.3.1-1 of xmltooling. We recommend that you upgrade your Shibboleth packages.
Matt Elder discovered that Shibboleth, a federated web single sign-on system is vulnerable to script injection through redirection URLs. More details can be found in the Shibboleth advisory at http://shibboleth.internet2.edu/secadv/secadv_20091104.txt.
For the old stable distribution (etch), this problem has been fixed in version 1.3f.dfsg1-2+etch4 of shibboleth-sp.
For the stable distribution (lenny), this problem has been fixed in version 1.3.1.dfsg1-3+lenny2 of shibboleth-sp, version 2.0.dfsg1-4+lenny2 of shibboleth-sp2 and version 2.0-2+lenny2 of opensaml2.
For the unstable distribution (sid), this problem has been fixed in version 2.3+dfsg-1 of shibboleth-sp2, version 2.3-1 of opensaml2 and version 1.3.1-1 of xmltooling.
We recommend that you upgrade your Shibboleth packages.
MD5 checksums of the listed files are available in the original advisory.