Bug 22046 - shibboleth-sp new security issue CVE-2017-16852
Summary: shibboleth-sp new security issue CVE-2017-16852
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-17 16:53 CET by David Walser
Modified: 2017-11-18 10:48 CET (History)
1 user (show)

See Also:
Source RPM: shibboleth-sp-2.5.4-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-11-17 16:53:12 CET 
Debian has issued an advisory on November 16:
https://www.debian.org/security/2017/dsa-4038

Corresponding upstream advisory from November 15:
https://shibboleth.net/community/advisories/secadv_20171115.txt

The issue is fixed upstream in 2.6.1, and a patch can be obtained from upstream git or from Debian.
David Walser 2017-11-17 16:53:25 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22047

Comment 1 Marja Van Waes 2017-11-17 20:48:35 CET 
Assigning to the registered shibboleth maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2017-11-18 10:48:45 CET 
According to https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/, support is now limited to "critical security fixes for components found in most systems", and shibboleth doesn't really match this definition. I won't prevent someone motivated enough to do the work, but I won't do it myself.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.