Detections
Analytics
Debian DSA-4038-1 : shibboleth-sp2 - security update
high Nessus Plugin ID 104644
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Rod Widdowson of Steading System Software LLP discovered a coding error in the 'Dynamic' metadata plugin of the Shibboleth Service Provider, causing the plugin to fail configuring itself with the filters provided and omitting whatever checks they are intended to perform.See https://shibboleth.net/community/advisories/secadv_20171115.txt for details.
Solution
Upgrade the shibboleth-sp2 packages.For the oldstable distribution (jessie), this problem has been fixed in version 2.5.3+dfsg-2+deb8u1.
For the stable distribution (stretch), this problem has been fixed in version 2.6.0+dfsg1-4+deb9u1.
See Also
https://packages.debian.org/source/jessie/shibboleth-sp2
https://packages.debian.org/source/stretch/shibboleth-sp2
https://www.debian.org/security/2017/dsa-4038
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881857
https://shibboleth.net/community/advisories/secadv_20171115.txt
Plugin Details
Severity: High
ID: 104644
File Name: debian_DSA-4038.nasl
Version: 3.5
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 11/17/2017
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: High
Base Score: 8.1
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:shibboleth-sp2, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:9.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 11/16/2017
Reference Information
CVE: CVE-2017-16852
DSA: 4038