OpenSAML user discussion

["Scott Cantor" <>]

OpenSAML Security Advisory [4 August 2004]

Updated versions of OpenSAML are now available which correct a
security issue:


Incorrect SAML request/response correlation
===============================================

Bugs in OpenSAML and libcurl through at least 7.10.8 combine
to result in a possibility of SAML SOAP request messages being
correlated to a SOAP response sent earlier over the same HTTP
connection. The bug is triggered by a combination of the
OpenSAML client-side timeout mechanism together with HTTP
Keep-Alives, which depend on the HTTP server configuration
on which the responding SAML service is hosted.

All versions of OpenSAML from 0.9.1 to 1.0 inclusive are
affected by this issue.  Any application that makes use of
the OpenSAML library may be affected.

libcurl 7.11.1 and higher appear to close such connections
and do not exhibit the behavior that would trigger this
particular bug. However, implementers should apply this update
regardless to prevent future problems and insure correct
behavior with older libcurl versions.


Recommendations
---------------

Upgrade to the latest patched releases of 0.9.1 and 1.0, which are
available from the download site, dated August 4, 2004:

http://wayf.internet2.edu/shibboleth/

The distribution file names are:

    o opensaml-0.9.1.tar.gz
      GPG: opensaml-0.9.1.tar.gz.asc
      
    o opensaml-1.0.tar.gz
      GPG: opensaml-1.0.tar.gz.asc

    o opensaml-java-1.0.tar.gz
      GPG: opensaml-java-1.0.tar.gz.asc

When possible, upgrade to the latest libcurl release, 7.12.0,
to fix the underlying problem.

Credits
-------
Patches for these issues were created by Scott Cantor.
(),
 the principal developer.


URL for this Security Advisory:
http://www.opensaml.org/secadv/secadv_20040804.txt