Security update for shibboleth-sp SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3215-1 Final 1 1 2017-12-05T16:39:46Z current 2017-12-05T16:39:46Z 2017-12-05T16:39:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for shibboleth-sp This update for shibboleth-sp fixes the following issues: Security issue fixed: - CVE-2017-16852: Fix critical security checks in the Dynamic MetadataProvider plugin in Shibboleth Service (bsc#1068689). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-RPI-12-SP2-2017-2001,SUSE-SLE-SDK-12-SP2-2017-2001,SUSE-SLE-SDK-12-SP3-2017-2001,SUSE-SLE-SERVER-12-SP2-2017-2001,SUSE-SLE-SERVER-12-SP3-2017-2001 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173215-1/ Link for SUSE-SU-2017:3215-1 https://lists.suse.com/pipermail/sle-security-updates/2017-December/003473.html E-Mail link for SUSE-SU-2017:3215-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1068689 SUSE Bug 1068689 https://www.suse.com/security/cve/CVE-2017-16852/ SUSE CVE CVE-2017-16852 page SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 libshibsp-lite6-2.5.5-6.3.1 libshibsp6-2.5.5-6.3.1 shibboleth-sp-2.5.5-6.3.1 shibboleth-sp-devel-2.5.5-6.3.1 libshibsp-lite6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 libshibsp6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 shibboleth-sp-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server 12 SP2 libshibsp-lite6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 libshibsp6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 shibboleth-sp-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 libshibsp-lite6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libshibsp6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 shibboleth-sp-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libshibsp-lite6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libshibsp6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 shibboleth-sp-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libshibsp-lite6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libshibsp6-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 shibboleth-sp-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 shibboleth-sp-devel-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 shibboleth-sp-devel-2.5.5-6.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763. CVE-2017-16852 SUSE Linux Enterprise Server 12 SP2:libshibsp-lite6-2.5.5-6.3.1 SUSE Linux Enterprise Server 12 SP2:libshibsp6-2.5.5-6.3.1 SUSE Linux Enterprise Server 12 SP2:shibboleth-sp-2.5.5-6.3.1 SUSE Linux Enterprise Server 12 SP3:libshibsp-lite6-2.5.5-6.3.1 SUSE Linux Enterprise Server 12 SP3:libshibsp6-2.5.5-6.3.1 SUSE Linux Enterprise Server 12 SP3:shibboleth-sp-2.5.5-6.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libshibsp-lite6-2.5.5-6.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libshibsp6-2.5.5-6.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:shibboleth-sp-2.5.5-6.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libshibsp-lite6-2.5.5-6.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libshibsp6-2.5.5-6.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:shibboleth-sp-2.5.5-6.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libshibsp-lite6-2.5.5-6.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libshibsp6-2.5.5-6.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:shibboleth-sp-2.5.5-6.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:shibboleth-sp-devel-2.5.5-6.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:shibboleth-sp-devel-2.5.5-6.3.1 important 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173215-1/ https://www.suse.com/security/cve/CVE-2017-16852.html CVE-2017-16852 https://bugzilla.suse.com/1068689 SUSE Bug 1068689