Security update for shibboleth-sp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3229-1 Final 1 1 2017-12-06T21:36:07Z current 2017-12-06T21:36:07Z 2017-12-06T21:36:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for shibboleth-sp This update for shibboleth-sp fixes the following issues: Security issue fixed: - CVE-2017-16852: Fix critical security checks in the Dynamic MetadataProvider plugin in Shibboleth Service (bsc#1068689). This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00013.html E-Mail link for openSUSE-SU-2017:3229-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libshibsp-lite6-2.5.5-9.2 libshibsp6-2.5.5-9.2 shibboleth-sp-2.5.5-9.2 shibboleth-sp-devel-2.5.5-9.2 libshibsp-lite6-2.5.5-9.2 as a component of openSUSE Leap 42.2 libshibsp6-2.5.5-9.2 as a component of openSUSE Leap 42.2 shibboleth-sp-2.5.5-9.2 as a component of openSUSE Leap 42.2 shibboleth-sp-devel-2.5.5-9.2 as a component of openSUSE Leap 42.2 libshibsp-lite6-2.5.5-9.2 as a component of openSUSE Leap 42.3 libshibsp6-2.5.5-9.2 as a component of openSUSE Leap 42.3 shibboleth-sp-2.5.5-9.2 as a component of openSUSE Leap 42.3 shibboleth-sp-devel-2.5.5-9.2 as a component of openSUSE Leap 42.3 shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763. CVE-2017-16852 openSUSE Leap 42.2:libshibsp-lite6-2.5.5-9.2 openSUSE Leap 42.2:libshibsp6-2.5.5-9.2 openSUSE Leap 42.2:shibboleth-sp-2.5.5-9.2 openSUSE Leap 42.2:shibboleth-sp-devel-2.5.5-9.2 openSUSE Leap 42.3:libshibsp-lite6-2.5.5-9.2 openSUSE Leap 42.3:libshibsp6-2.5.5-9.2 openSUSE Leap 42.3:shibboleth-sp-2.5.5-9.2 openSUSE Leap 42.3:shibboleth-sp-devel-2.5.5-9.2 important 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00013.html https://www.suse.com/security/cve/CVE-2017-16852.html CVE-2017-16852 https://bugzilla.suse.com/1068689 SUSE Bug 1068689