Security Advisories for Shibboleth Service Providers in the UK federation: second advisory
Posted on Monday, 17 August 2009
This advisory addresses an issue with incorrect handling of the "use" attribute in metadata <KeyDescriptor> elements. We do not believe that a service provider deployed purely within the UK federation (i.e., consuming only UK federation metadata) would be affected by this issue. read more... Edited by SteveGlover
Security Advisories for Shibboleth Service Providers in the UK federation: first advisory
Posted on Monday, 17 August 2009
The issue described by this advisory could potentially be exploited to allow an attacker to impersonate almost any identity provider within the UK federation. This would require the attacker to have persuaded one of the certification authorities trusted by the UK federation to have issued a certificate with a specially constructed invalid name. read more... Edited by SteveGlover