Great, thanks for confirming Michael. Dominic.
On Mon, Sep 11, 2017 at 02:14:05PM +0000, Michael McNeill wrote: > Dominic, > > After reviewing, it does appear that 1.4 is vulnerable to the XSS attack > and should be patched using the same patch made here: > https://github.com/michaelryanmcneill/shibboleth/blob/1d65ad6786282d23ba1865f56e2fd19188e7c26a/shibboleth.php#L463 > > Please let me know if you have additional questions. > > Best regards, > Michael McNeill > > On Mon, Sep 11, 2017 at 6:20 AM Dominic Hargreaves <d...@earth.li> wrote: > > > On Mon, Sep 11, 2017 at 03:21:08AM +0000, Craig Small wrote: > > > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <d...@earth.li> wrote: > > > > > > > I have just become aware of an old security issue that was fixed > > > > in upstream: > > > > > > > > > > > > > > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5 > > > > 6e2fd19188e7c26a > > > > < > > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a > > > > > > > > > > > > > > > Given that noone has noticed and reported this as an issue for a year > > > > in the Debian package, and I'm not completely sure of how easy it is > > > > to exploit, I'm not exactly sure of the correct severity or whether > > > > this warrants a DSA or just a point release update. I'm CCing > > > > the Wordpress maintainer in case they have any ideas. > > > > > > > > This bug will be fixed in unstable shortly. > > > > > > > Hi, > > > Probably a security team question but the un-patched plugin permits a > > XSS > > > attack so it should be a DSA I think. > > > > I'm just confirming the status of the bug in 1.4 with the upstream > > maintainer prior to a fix. Also looping in the security team. > > > > Cheers, > > Dominic. > >