opensaml2 has been fixed in all releases (see https://launchpad.net/ubuntu/+source/opensaml2) except for the devel release (bionic), which will be addresses when the debian autosync pulls 2.6.1-1 from debian.
shibboleth-sp2 still needs to be fixed in trusty and xenial, if someone wants to step up to prepare the fixes for that, as well as for bionic, which will again be addressed when the autosync process pulls 2.6.1+dfsg1-1 from debian. ** Also affects: opensaml2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: shibboleth-sp2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: shibboleth-sp2 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: shibboleth-sp2 (Ubuntu Trusty) Status: New => Triaged ** Changed in: shibboleth-sp2 (Ubuntu Xenial) Status: New => Triaged ** Changed in: opensaml2 (Ubuntu Trusty) Status: New => Fix Released ** Changed in: opensaml2 (Ubuntu Xenial) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16853 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1732606 Title: CVE-2017-16852 Shibboleth Service Provider Security Advisory [15 November 2017] Status in opensaml2 package in Ubuntu: Incomplete Status in shibboleth-sp2 package in Ubuntu: Fix Released Status in opensaml2 source package in Trusty: Fix Released Status in shibboleth-sp2 source package in Trusty: Triaged Status in opensaml2 source package in Xenial: Fix Released Status in shibboleth-sp2 source package in Xenial: Triaged Bug description: The developers of the Shibboleth SP have released a security advisory that affects all current versions of shibboleth-sp prior to V2.6.1. This includes the versions currently available for all releases of Ubuntu. The full text of the advisory is available at https://shibboleth.net/community/advisories/secadv_20171115.txt The vulnerability allows a remote attacker to bypass security checks on dynamically loaded metadata, a scenario that's commonly used in federated environments, and thus a likely use-case for this package. It is likely that a significant proportion of users of this package will be affected. From the advisory: "There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of this feature until the upgrade is done." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml2/+bug/1732606/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp