The details of this issue are currently embargoed due to its critical impact. This requires to upgrade all existing installations of SimpleSAMLphp immediately.
Please refer to the changelog for more information. The changelog and upgrade notes are available here, respectively:
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Jaime Perez Crespo
unread,
Feb 28, 2018, 7:35:55 AM2/28/18
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to simplesamlp...@googlegroups.com, SimpleSAMLphp
Hi,
A follow up clarification on this. The issue fixed in this release is currently embargoed due to its severity, as well as the possibility that other vendors are affected. In fact, we have confirmed another vendor being affected. The embargo will be lifted as soon as people had time enough to upgrade and/or fix their implementations. Currently, there’s no estimated date for the embargo to expire. We would like to stress however the need to upgrade as soon as possible, and avoid relying on the embargo to justify not doing the upgrade now.
We have also received many questions on whether this was related to the vulnerability disclosed yesterday by Duo Security, affecting several vendors (1). This security issue is completely unrelated to SSPSA 201802-01 and we confirm that, to the best of our knowledge, SimpleSAMLphp is NOT affected by this particular problem.
Again, this is a critical issue, and as such, everybody using SimpleSAMLphp (specially those using it as a service provider to protect their web applications) should upgrade immediately, if that hasn’t been done yet.