Begin forwarded message:

From: "Cantor, Scott via alert" <alert@shibboleth.net>

Subject: Spring bug necessitates IdP patches

Date: 14 March 2024 at 15:04:32 CET

To: "alert@shibboleth.net" <alert@shibboleth.net>

Cc: "Cantor, Scott" <cantor.2@osu.edu>

Reply-To: alert@shibboleth.net

FYI,

There's a Spring bug [1] I reviewed a while ago that I mis-triaged, we have a limited exposure to it in the CAS support in the IdP.

They re-opened that bug/advisory just now and patched Spring 6.1 again, which we missed by a day so unfortunately we have to issue a 5.1.1 to pick that up, but more impactfully I guess, we'll need to prepare a 4.3.2 patch to update Spring 5.3 there.

It's probably good I overlooked it as it's not terribly serious and it would have required a second patch round anyway since they didn't fully fix it before.

Anyway, we will get a 5.1.1 out pretty quickly and then take a bit of time to issue the 4.3.2 update so we can make that the (hopefully) final rollup of V4 that we weren't planning on doing.

If you don't use the CAS support, you have no exposure to this. Even if you do it's likely not very big a deal but there is probably some risk of a redirection/SSRF attack out of the IdP.

-- Scott

[1] https://spring.io/security/cve-2024-22259

--
To unsubscribe from this list send an email to alert-unsubscribe@shibboleth.net