Bug 22046

Summary: shibboleth-sp new security issue CVE-2017-16852
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=22047
Whiteboard:
Source RPM: shibboleth-sp-2.5.4-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-11-17 16:53:12 CET 
Debian has issued an advisory on November 16:
https://www.debian.org/security/2017/dsa-4038

Corresponding upstream advisory from November 15:
https://shibboleth.net/community/advisories/secadv_20171115.txt

The issue is fixed upstream in 2.6.1, and a patch can be obtained from upstream git or from Debian.
David Walser 2017-11-17 16:53:25 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22047

Comment 1 Marja Van Waes 2017-11-17 20:48:35 CET 
Assigning to the registered shibboleth maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2017-11-18 10:48:45 CET 
According to https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/, support is now limited to "critical security fixes for components found in most systems", and shibboleth doesn't really match this definition. I won't prevent someone motivated enough to do the work, but I won't do it myself.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED