Your message dated Sun, 07 Sep 2025 16:02:45 +0000
with message-id <[email protected]>
and subject line Bug#1114506: fixed in shibboleth-sp 3.4.1+dfsg-2+deb12u1
has caused the Debian Bug report #1114506,
regarding shibboleth-sp: SQL injection vulnerability in Service Provider ODBC
plugin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1114506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114506
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shibboleth-sp
Version: 3.4.1+dfsg-2
Severity: grave
Tags: upstream patch security fixed-upstream
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-1014
Shibboleth Service Provider Security Advisory [3 September 2025]
An updated version of the Shibboleth Service Provider is available
to correct a SQL injection vulnerability in the ODBC StorageService
extension shipped with some distributions of the software.
The vulnerability is moderate to high severity for anyone using
the ODBC plugin, and of no impact for others.
SQL injection vulnerability in Service Provider ODBC plugin
===========================================================
The Shibboleth Service Provider includes a storage API usable
for a number of different use cases such as the session cache,
replay cache, and relay state management. An ODBC extension
plugin is provided with some distributions of the software
(notably on Windows).
A SQL injection vulnerability was identified in some of the
queries issued by the plugin, and this can be creatively
exploited through specially crafted inputs to exfiltrate
information stored in the database used by the SP.
Recommendations
===============
Update to V3.5.1 (or later) of the Shibboleth Service Provider,
or if you cannot, then migrate off of the ODBC storage
plugin/extension.
Restarting the shibd process is sufficient to apply the change,
as the affected code runs only within that process.
Credits
=======
SEC Consult Vulnerability Lab
Florian Stuhlmann
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20250903.txt
--- End Message ---
--- Begin Message ---
Source: shibboleth-sp
Source-Version: 3.4.1+dfsg-2+deb12u1
Done: Ferenc Wágner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated shibboleth-sp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Sep 2025 12:38:25 +0200
Source: shibboleth-sp
Architecture: source
Version: 3.4.1+dfsg-2+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 1114506
Changes:
shibboleth-sp (3.4.1+dfsg-2+deb12u1) bookworm-security; urgency=high
.
* [80ae771] New patch: SSPCPP-1014 - Extend escaping in strings.
Fix SQL injection vulnerability in Service Provider ODBC plugin:
specially crafted inputs can exfiltrate information stored in the
database used by the SP. The vulnerability is moderate to high
severity for anyone using the ODBC plugin, and of no impact for others.
Thanks to Scott Cantor (Closes: #1114506)
Checksums-Sha1:
ee2cb5feba6987b6f6fd0bbee2d61a31d0bda9c3 2901
shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc
b2ae88bd22c8fd1700d25168e576c175ab74e6b6 649532
shibboleth-sp_3.4.1+dfsg.orig.tar.xz
a1351ab9f8dbc528459f0b3803d7c5e7be86548b 41772
shibboleth-sp_3.4.1+dfsg-2+deb12u1.debian.tar.xz
6f7d3389ab7c65937009250d24fa3a886f8cc76c 14912
shibboleth-sp_3.4.1+dfsg-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
1f319cce83b77f65ff4d2910905124c290bfbf07b4b88b86f1789f930039d472 2901
shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc
f7f4736ab66d08ae94b861adf3ddd15ad5fbe0ace1010a2bd2c0d32a92f9f047 649532
shibboleth-sp_3.4.1+dfsg.orig.tar.xz
43841e7713c85dc52c0cce6de685905a35c4d7a98c0c2aefab24d611b5a3a345 41772
shibboleth-sp_3.4.1+dfsg-2+deb12u1.debian.tar.xz
cb7b15a82d9f4c043839bcaa9ec9c83f773a04ad352bc9f6d1e3ee85072ccd6f 14912
shibboleth-sp_3.4.1+dfsg-2+deb12u1_amd64.buildinfo
Files:
74d57c102283bd32d5b97dacff04ac7f 2901 web optional
shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc
12d5d61f37a0fc6a55c63fa71ff9037c 649532 web optional
shibboleth-sp_3.4.1+dfsg.orig.tar.xz
41f6b26ab6ae9464b75d901bdc08d178 41772 web optional
shibboleth-sp_3.4.1+dfsg-2+deb12u1.debian.tar.xz
2b8629611595685a7baa38ec2b1ab271 14912 web optional
shibboleth-sp_3.4.1+dfsg-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmi8EmcACgkQOsj3Fkd+
2yOWZRAAn1hJCcLoziCPY/12/kIZnqE6XnAzBR7TZE4fssK+uFLExPBkwtRJ+FUQ
d1bayBqKhturzucycFZZcnVxrHa0bbF4jbm690erodoF+Y9jdGtIv9htSrtCupBi
vYVHudm2MSOgXDb+yNUZmeBYtStSNbiybLK4rI8hXzuPXu1YvXBhxkP/SzWHrp8+
4+myyeaoQxe87Xt3ny9FOeNcCbQWW4HtC+1dlF06QPNjXNE4HNqraxJ6nXBuN3a8
g1YTJD8w3xwL7ziEFmWD0wAxqySgk34uDxZYTn5TXTmHmV0k6omDuJQa1BBhCSOO
qIgx9upqt9AUiC5MiTGnzLAXxlgtokGOohG/i7ZjEc9IeRZFjVu/EPbZZXukSFmM
AabhjvQeKE2W3iCK9zRizneH5LrxAtCcbjIH3LFSRU2j92Jq1jufbDEr4O9JbZjO
euIpelZ74uyyvg7h85vZ35lv4RgAz9by02YhDx/yeGirMqNcQZJ1oPsTe5X5Rgfi
fuYbUOLaHgGY5lgudtahDZDf1gH1Bo3pvByL5K8m+wbwIzahU3GFah4l8at8nGmy
tOLagO789Rh88mR79hMxcS5hNbbsY1cByltktRzJxEZy63ng404PSoqsPI3Gus+d
vlKoBqrWLds6S2LcFaypqpQ3J/pD9iyMDOsYKY8zzgGYNFJrsz8=
=PZWK
-----END PGP SIGNATURE-----
pgpwohpFQrVFR.pgp
Description: PGP signature
--- End Message ---
