Upstream has issued an advisory on March 19: https://shibboleth.net/community/advisories/secadv_20150319.txt The issue is fixed upstream in 2.5.4. Mageia 4 and Mageia 5 are affected. The advisory also mentions similar issues in xerces-c and openssl. The xerces-c issue is being handled in Bug 15538 and openssl was already fixed in Bug 15530. Reproducible: Steps to Reproduce:
A CVE has been requested for the issue in shibboleth-sp: http://openwall.com/lists/oss-security/2015/03/23/12
Whiteboard: (none) => MGA5TOO, MGA4TOO
CVE-2015-2684 has been assigned for shibboleth-sp: http://openwall.com/lists/oss-security/2015/03/23/15
Summary: shibboleth-sp new DoS security issue => shibboleth-sp new DoS security issue (CVE-2015-2684)
shibboleth-sp-2.5.4-1.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Debian has issued an advisory for this on March 28: https://www.debian.org/security/2015/dsa-3207
URL: (none) => http://lwn.net/Vulnerabilities/638444/
shibboleth-sp-2.5.3-1.1.mga4 submitted in updates_testing for mageia 4.
Thanks Guillaume! Advisory: ======================== Updated shibboleth-sp package fixes security vulnerability: A denial of service vulnerability was found in the Shibboleth Service Provider. When processing certain malformed SAML message generated by an authenticated attacker, the daemon could crash (CVE-2015-2684). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2684 https://shibboleth.net/community/advisories/secadv_20150319.txt https://www.debian.org/security/2015/dsa-3207 ======================== Updated packages in core/updates_testing: ======================== shibboleth-sp-2.5.3-1.1.mga4 apache-mod_shib-2.5.3-1.1.mga4 libshibboleth-sp6-2.5.3-1.1.mga4 libshibboleth-sp-devel-2.5.3-1.1.mga4 from shibboleth-sp-2.5.3-1.1.mga4.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
In VirtualBox, M4, KDE, 32-bit Package(s) under test: shibboleth-sp apache-mod_shib libshibboleth-sp6 libshibboleth-sp-devel default install of shibboleth-sp & apache-mod_shib [root@localhost wilcal]# urpmi shibboleth-sp Package shibboleth-sp-2.5.3-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_shib Package apache-mod_shib-2.5.3-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libshibboleth-sp6 Package libshibboleth-sp6-2.5.3-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libshibboleth-sp-devel Package libshibboleth-sp-devel-2.5.3-1.mga4.i586 is already installed shibboleth-sp apache-mod_shib libshibboleth-sp6 libshibboleth-sp-devel install without error. install shibboleth-sp apache-mod_shib libshibboleth-sp6 libshibboleth-sp-devel from updates_testing [root@localhost wilcal]# urpmi shibboleth-sp Package shibboleth-sp-2.5.3-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_shib Package apache-mod_shib-2.5.3-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libshibboleth-sp6 Package libshibboleth-sp6-2.5.3-1.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libshibboleth-sp-devel Package libshibboleth-sp-devel-2.5.3-1.1.mga4.i586 is already installed shibboleth-sp apache-mod_shib libshibboleth-sp6 libshibboleth-sp-devel install without error. According to one tester of shibboleth "Setting up Shibboleth has been one of my worst experiences in recent memory". http://www.jeesty.com/shibboleth I'm not sure I'm willing to travel in his footsteps. Seems to install ok. Good enough for me. Good enough for you David? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
You should be able to show shibd service working probably Bill
If we can show that there isn't any basic obvious regression, that'd be ideal. For something complicated and unfamiliar like this and with our current backlog, showing that it installs might be the best we can do. There is a shibd.service; I don't know if it's runnable without doing any configuration.
Well it looked like it got installed alright. MCC -> System -> Manage system services lists it as: shibd but it's stopped. Clicking on Start does not start it. ps -A does not list it as running. [root@localhost wilcal]# service shibd start Redirecting to /bin/systemctl start shibd.service Job for shibd.service failed. See 'systemctl status shibd.service' and 'journalctl -xn' for details. Well it's responding. Lets move this one along.
In VirtualBox, M4, KDE, 64-bit Package(s) under test: shibboleth-sp apache-mod_shib lib64shibboleth-sp6 lib64shibboleth-sp-devel default install of shibboleth-sp apache-mod_shib lib64shibboleth-sp6 lib64shibboleth-sp-devel [root@localhost wilcal]# urpmi shibboleth-sp Package shibboleth-sp-2.5.3-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_shib Package apache-mod_shib-2.5.3-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64shibboleth-sp6 Package lib64shibboleth-sp6-2.5.3-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64shibboleth-sp-devel Package lib64shibboleth-sp-devel-2.5.3-1.mga4.x86_64 is already installed shibboleth-sp apache-mod_shib lib64shibboleth-sp6 lib64shibboleth-sp-devel install without error. install shibboleth-sp apache-mod_shib lib64shibboleth-sp6 lib64shibboleth-sp-devel from updates_testing [root@localhost wilcal]# urpmi shibboleth-sp Package shibboleth-sp-2.5.3-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_shib Package apache-mod_shib-2.5.3-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64shibboleth-sp6 Package lib64shibboleth-sp6-2.5.3-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64shibboleth-sp-devel Package lib64shibboleth-sp-devel-2.5.3-1.1.mga4.x86_64 is already installed shibboleth-sp apache-mod_shib libshibboleth-sp6 libshibboleth-sp-devel install without error. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Good enough for Government work ( literally ) this update installs fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
Confirmed the reason for failure is just: shibd[28907]: configuration is invalid, check console for specific problems
Advisory uploaded. Really validating.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0148.html
Status: NEW => RESOLVEDResolution: (none) => FIXED