Dominic, After reviewing, it does appear that 1.4 is vulnerable to the XSS attack and should be patched using the same patch made here: https://github.com/michaelryanmcneill/shibboleth/blob/1d65ad6786282d23ba1865f56e2fd19188e7c26a/shibboleth.php#L463
Please let me know if you have additional questions. Best regards, Michael McNeill On Mon, Sep 11, 2017 at 6:20 AM Dominic Hargreaves <d...@earth.li> wrote: > On Mon, Sep 11, 2017 at 03:21:08AM +0000, Craig Small wrote: > > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <d...@earth.li> wrote: > > > > > I have just become aware of an old security issue that was fixed > > > in upstream: > > > > > > > > > > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5 > > > 6e2fd19188e7c26a > > > < > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a > > > > > > > > > > > Given that noone has noticed and reported this as an issue for a year > > > in the Debian package, and I'm not completely sure of how easy it is > > > to exploit, I'm not exactly sure of the correct severity or whether > > > this warrants a DSA or just a point release update. I'm CCing > > > the Wordpress maintainer in case they have any ideas. > > > > > > This bug will be fixed in unstable shortly. > > > > > Hi, > > Probably a security team question but the un-patched plugin permits a > XSS > > attack so it should be a DSA I think. > > I'm just confirming the status of the bug in 1.4 with the upstream > maintainer prior to a fix. Also looping in the security team. > > Cheers, > Dominic. >
