Shibboleth upstream has issued several advisories for the Shibboleth Identity Provider that indicate that the actual security vulnerabilities were in the bundled opensaml-java, which we have packaged separately (to my knowledge we don't have the Shibboleth IdP packaged): https://shibboleth.net/community/advisories/secadv_20131213.txt https://shibboleth.net/community/advisories/secadv_20140813.txt https://shibboleth.net/community/advisories/secadv_20140919.txt https://shibboleth.net/community/advisories/secadv_20150225.txt Fixing all of these would require updating opensaml-java to 2.6.5. Fedora hasn't addressed a single one of these issues and is still using 2.5.3, so this appears to be another Java package in Fedora that's not being properly maintained. Fortunately, we have dropped it in Cauldron. Reproducible: Steps to Reproduce:
Fedora has issued an advisory for the secadv_20140813 issue (CVE-2014-3603) on June 20: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163154.html
URL: (none) => http://lwn.net/Vulnerabilities/653879/
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it. This package has been dropped and no longer exists in Mageia as of Mageia 5. Closing this as OLD.
Status: NEW => RESOLVEDResolution: (none) => OLD