SimpleSAMLphp 1.15.3
126 views
Skip to first unread message
Jaime Perez Crespo
Feb 27, 2018, 5:14:19 AM2/27/18
to SimpleSAMLphp, simplesamlp...@googlegroups.com
Hi,
SimpleSAMLphp 1.15.3 has just been released. This is a security release related to the following issue:
https://simplesamlphp.org/security/201802-01
The details of this issue are currently embargoed due to its critical impact. This requires to upgrade all existing installations of SimpleSAMLphp immediately.
Please refer to the changelog for more information. The changelog and upgrade notes are available here, respectively:
https://simplesamlphp.org/docs/stable/simplesamlphp-changelog
https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-1.15
The new release is available for download here:
https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.15.3/simplesamlphp-1.15.3.tar.gz
You can verify the integrity of this file by comparing the SHA256 digest: bfc809bac28faae1a5557b2e361c876f445b77ba8eb2d317e4f5dcd9663a18cd
Regards,
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
SimpleSAMLphp 1.15.3 has just been released. This is a security release related to the following issue:
https://simplesamlphp.org/security/201802-01
The details of this issue are currently embargoed due to its critical impact. This requires to upgrade all existing installations of SimpleSAMLphp immediately.
Please refer to the changelog for more information. The changelog and upgrade notes are available here, respectively:
https://simplesamlphp.org/docs/stable/simplesamlphp-changelog
https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-1.15
The new release is available for download here:
https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.15.3/simplesamlphp-1.15.3.tar.gz
You can verify the integrity of this file by comparing the SHA256 digest: bfc809bac28faae1a5557b2e361c876f445b77ba8eb2d317e4f5dcd9663a18cd
Regards,
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Jaime Perez Crespo
Feb 28, 2018, 7:35:55 AM2/28/18
to simplesamlp...@googlegroups.com, SimpleSAMLphp
Hi,
A follow up clarification on this. The issue fixed in this release is currently embargoed due to its severity, as well as the possibility that other vendors are affected. In fact, we have confirmed another vendor being affected. The embargo will be lifted as soon as people had time enough to upgrade and/or fix their implementations. Currently, there’s no estimated date for the embargo to expire. We would like to stress however the need to upgrade as soon as possible, and avoid relying on the embargo to justify not doing the upgrade now.
We have also received many questions on whether this was related to the vulnerability disclosed yesterday by Duo Security, affecting several vendors (1). This security issue is completely unrelated to SSPSA 201802-01 and we confirm that, to the best of our knowledge, SimpleSAMLphp is NOT affected by this particular problem.
(1) https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
A follow up clarification on this. The issue fixed in this release is currently embargoed due to its severity, as well as the possibility that other vendors are affected. In fact, we have confirmed another vendor being affected. The embargo will be lifted as soon as people had time enough to upgrade and/or fix their implementations. Currently, there’s no estimated date for the embargo to expire. We would like to stress however the need to upgrade as soon as possible, and avoid relying on the embargo to justify not doing the upgrade now.
We have also received many questions on whether this was related to the vulnerability disclosed yesterday by Duo Security, affecting several vendors (1). This security issue is completely unrelated to SSPSA 201802-01 and we confirm that, to the best of our knowledge, SimpleSAMLphp is NOT affected by this particular problem.
(1) https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Jaime Perez Crespo
Mar 5, 2018, 10:13:48 AM3/5/18
to simplesamlp...@googlegroups.com, SimpleSAMLphp
Hi,
The embargo on SSPSA 201802-01 has been lifted, and details on this particular issue are now available:
https://simplesamlphp.org/security/201802-01
Again, this is a critical issue, and as such, everybody using SimpleSAMLphp (specially those using it as a service provider to protect their web applications) should upgrade immediately, if that hasn’t been done yet.
The embargo on SSPSA 201802-01 has been lifted, and details on this particular issue are now available:
https://simplesamlphp.org/security/201802-01
Again, this is a critical issue, and as such, everybody using SimpleSAMLphp (specially those using it as a service provider to protect their web applications) should upgrade immediately, if that hasn’t been done yet.
Reply all
Reply to author
Forward
0 new messages