libshibsp-lite10-3.2.3-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11381 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libshibsp-lite10-3.2.3-1.2 on GA media These are all security issues fixed in the libshibsp-lite10-3.2.3-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11381 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11381 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-16852/ SUSE CVE CVE-2017-16852 page https://www.suse.com/security/cve/CVE-2019-19191/ SUSE CVE CVE-2019-19191 page openSUSE Tumbleweed libshibsp-lite10-3.2.3-1.2 libshibsp10-3.2.3-1.2 shibboleth-sp-3.2.3-1.2 shibboleth-sp-devel-3.2.3-1.2 libshibsp-lite10-3.2.3-1.2 as a component of openSUSE Tumbleweed libshibsp10-3.2.3-1.2 as a component of openSUSE Tumbleweed shibboleth-sp-3.2.3-1.2 as a component of openSUSE Tumbleweed shibboleth-sp-devel-3.2.3-1.2 as a component of openSUSE Tumbleweed shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763. CVE-2017-16852 openSUSE Tumbleweed:libshibsp-lite10-3.2.3-1.2 openSUSE Tumbleweed:libshibsp10-3.2.3-1.2 openSUSE Tumbleweed:shibboleth-sp-3.2.3-1.2 openSUSE Tumbleweed:shibboleth-sp-devel-3.2.3-1.2 moderate 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16852.html CVE-2017-16852 https://bugzilla.suse.com/1068689 SUSE Bug 1068689 Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow. CVE-2019-19191 openSUSE Tumbleweed:libshibsp-lite10-3.2.3-1.2 openSUSE Tumbleweed:libshibsp10-3.2.3-1.2 openSUSE Tumbleweed:shibboleth-sp-3.2.3-1.2 openSUSE Tumbleweed:shibboleth-sp-devel-3.2.3-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19191.html CVE-2019-19191 https://bugzilla.suse.com/1154062 SUSE Bug 1154062 https://bugzilla.suse.com/1157471 SUSE Bug 1157471