OpenConext ciritical security update

Skip to first unread message

Bart Geesink

Nov 7, 2019, 3:45:34 PM11/7/19
Hi all,

As some of you might have heard already, a critical security issue has been identified in
XMLSecLibs, a PHP library that handles XMLsignatures. CVE-2019-3465 has been assigned to this
vulnerability. This library is used in several OpenConext applications: Engineblock, Profile, and
the applications from the Stepup stack: Stepup-Gateway, Stepup-SelfService, Stepup-RA, Stepup-tiqr
and Stepup-Middleware. The last two applications have the library but are not vulerable to attack.
A full description of the vulnerability can be found here:

You are strongly advised to update as soon as possible. The following versions have been made
available already:
engineblock 5.13.3 (please check if you are still on
5.11 or below)
profile 1.2.3
Stepup-SelfService 3.0.1
Stepup-RA 3.0.1
Stepup-Middleware 3.0.2
Stepup-Tiqr 2.1.15

We are working to release updated versions of all affected application as soon as possible and
expect to have these ready tomorrow. An alternative way to fix the issue is to replace
/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php in the affected applications by the version
that contains the fix (see:

If you have any questions, feel free to contact this list.


Reply all
Reply to author
0 new messages