Scheduled maintenance reminder from Sunet Status
Title: Maintaince on metadata servers
Details: Maintenance will be carried out on mds.swamid.se to prepare for future MDQ.
No planned downtime, but disruptions may occur.
Affected Infrastructure:
Components: SWAMID
Locations: Metadata Freshness - IdP transitive, Metadata Freshness - SP transitive, Metadata Freshness - SWAMID 2.0, Metadata Freshness - eduGAIN export
Planned Start: April 3, 2023 10:30 CEST
Expected End: April 3, 2023 15:00 CEST
Status Page: https://status.sunet.se
--
Manage subscription: https://status.sunet.se/pages/subscriber/manage/5f4784a4bc7fae04c8359fc5/63…
Scheduled maintenance reminder from Sunet Status
Title: Maintaince on metadata servers
Details: Maintenance will be carried out on mds.swamid.se to prepare for future MDQ.
No planned downtime, but disruptions may occur.
Affected Infrastructure:
Components: SWAMID
Locations: Metadata Freshness - IdP transitive, Metadata Freshness - SP transitive, Metadata Freshness - SWAMID 2.0, Metadata Freshness - eduGAIN export
Planned Start: April 3, 2023 10:30 CEST
Expected End: April 3, 2023 15:00 CEST
Status Page: https://status.sunet.se
--
Manage subscription: https://status.sunet.se/pages/subscriber/manage/5f4784a4bc7fae04c8359fc5/63…
> -----Original Message-----
> From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Cantor,
> Scott via announce
> Sent: Thursday, March 30, 2023 5:28 PM
> To: announce(a)shibboleth.net
> Subject: Shibboleth Identity Provider V4.3.1 now available
>
> The Shibboleth Project has released V4.3.1 of the Identity Provider
software,
> primarily to address a regression in the RemoteUser login flow [1][2].
>
> A security advisory will be forthcoming about the issue., though the
risk in
> practice is not viewed as significant.
>
> The issue does not affect releases prior to V4.3.0.
>
> -- Scott
>
> [1] http://shibboleth.net/downloads/identity-provider/latest/
> [2] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631499
För kännedom...
Pål
> -----Original Message-----
> From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Cantor,
> Scott via announce
> Sent: Thursday, March 30, 2023 5:29 PM
> To: announce(a)shibboleth.net
> Subject: Shibboleth Identity Provider Security Advisory [30 March 2023]
>
> Shibboleth Identity Provider Security Advisory [30 March 2023]
>
> Regression in RemoteUser login flow could lead to impersonation
> ===============================================================
> A regression was introduced into the RemoteUser login flow in
> the Shibboleth Identity Provider software allowing the use of
> a fixed header name to supply the REMOTE_USER value to use.
> In the absence of an actual REMOTE_USER variable or any
> configured servlet request attributes, the code would fall back
> to using a "fixed" header variable name instead of honoring the
> configured set of headers to look at.
>
> Given that this would be immediately obvious while using the
> software (since it would be unable to obtain a value to use and fail),
> it is unlikely this would escape notice, but there is the theoretical
> chance of an unguarded header being accepted as the identity.
>
> Deployments that do not make use of this login flow are unaffected
> (despite the fact that the servlet containing the regression is
> generally active by default).
>
> Affected Versions
> =================
> Version 4.3.0 only of the Identity Provider, when using the
> RemoteUser login flow, either directly, or indirectly via the MFA
> login flow feature.
>
> Recommendations
> ===============
> Upgrade to Identity Provider V4.3.1 or later.
>
> References
> ==========
> URL for this Security Advisory
> http://shibboleth.net/community/advisories/secadv_20230330.txt
>
> Credits
> =======
> Tero Marttila, Funidata Oy
Hej SAML-vänner!
Måndag 3 april med start klockan 10.30 kommer det genomföras underhåll på mds.swamid.se för att förbereda inför framtida MDQ.
Ingen planerad nertid men störningar kan förekomma.
--
jocar
SWAMID Operations
Hej,
Har du anmält dig <https://www.sunetdagarna.se> till Sunetdagarna? Den
18–20 april träffas vi på Mälardalens universitet, Campus Eskilstuna, för
några fullmatade dagar om IT-infrastruktur och digitala tjänster för högre
utbildning och forskning. Programmet finns på www.sunetdagarna.se.
Några av de ämnen som tas upp är:
- Digitalt campus
- Mänskliga reaktioner i extrema situationer
- AI för effektivt lärande
- EU:s digitala identitetsplånbok
- Projektet “Studentens digitala resa”
- Sunet datacenter för framtiden
- Öppna digitala resurser för studenters lärande
- Nätverkautomation och IT-säkerhet
- Polar Connect – robust nätanslutning via Arktis
- Badges och Microcredentials
- Vad är Sunet?
- Digital pedagogisk kompetens
Anmäl dig på www.sunetdagarna.se. Platserna är begränsade så vänta inte för
länge!
Pål
---------- Forwarded message ---------
Från: Cantor, Scott via announce <announce(a)shibboleth.net>
Date: mån 13 mars 2023 19:51
Subject: Shibboleth Service Provider for Windows V3.4.1.2 available
To: announce(a)shibboleth.net <announce(a)shibboleth.net>
Another patch/service update to the Windows installer for the Service
Provider is available, addressing a security issue in zlib, which is
packaged as part of the software. The issue was disclosed last year but was
overlooked at the time.
I am not aware of any exploits for the issue but am providing the update
out of caution.
-- Scott
--
To unsubscribe from this list send an email to
announce-unsubscribe(a)shibboleth.net
Hej!
Jag undrar om ni som använder Shibboleth och har slagit på CSRF
mitigation har sett en ökning av varningar kopplat till invalid CSRF
tokens i era loggarna de senaste dagarna?
Vi kan se en fördubbling av antal "non-proceed event while processing
the request: InvalidCSRFToken" antingen för view-state
"LocalStorageRead" eller "DisplayUsernamePasswordPage" sedan i
månadsskiftet.
Vi har några studenter som har hört av sig som har haft problem med att
logga in i olika tjänster. Det är oklart just nu om eller hur dessa
problem skulle vara kopplat till ogiltiga CSRF tokens. Det är väldigt
få, men en stor procentuellt ökning under kort tid.
Undrar bara om vi är ensamma med denna ökning?
Tacksam för svar.
/Paul.
Vänliga hälsningar / Best regards
Paul Scott
Systemutvecklare | Systems developer
KARLSTADS UNIVERSITET | KARLSTAD UNIVERSITY
SE-651 88 Karlstad Sweden
Phone: +46 54 700 23 07
Mobile: +46 54 70 191 42 83
www.kau.se
När du skickar e-post till Karlstads universitet behandlar vi dina personuppgifter<https://www.kau.se/gdpr>.
When you send an e-mail to Karlstad University, we will process your personal data<https://www.kau.se/en/gdpr>.
