A patch release of the Service Provider, V3.4.1, is now available [1][2]. This release fixes a couple of small bugs and adds a warning requested by one of our member organizations in the absence of the redirectLimit setting, which leads to SPs being abused as open redirectors. Notably, this release includes an update to the xmltooling library that hardens the code base against the sorts of attacks reported against the IdP in the recent advisory. The SP is, as far as can be determined, not impacted directly by that vulnerability, but this is a precautionary change. The Windows update also includes a change to restrict the ACLs on the /opt/shibboleth-sp directory when the default installation path is used, to limit some privilege escalation attacks due to overly permissive ACLs. The documentation has been updated to reflect this change [3], but we continue to observe that ultimately the responsibility for securing the file system lies with the deployer. We also urge caution and testing for those using IIS since the changes to the ACLs could prevent unusual IIS configurations from functioning without adjusting those ACLs. Packages have been pushed to at least a couple of the mirrors, but as has been typical, I'm not able to update all of them due to firewall changes, which I will follow up on. -- Scott [1] http://shibboleth.net/downloads/service-provider/latest/ [2] https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335693 [3] https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335545