Hi Salvatore, Thank you for the report. Looking at the commit r1680 mentioned on the security tracker I fail to see how it addresses the vulnerability described. I suspect this is actually a vulnerability in a dependency shared by opensaml and idp (maybe xmltooling which contains the PKIXValidationInformationResolver class, or shib-common with a recent commit referring to the same SIDP-624 issue [1]).
Emmanuel Bourg [1] http://svn.shibboleth.net/view/java-shib-common?view=revision&revision=1125 __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.