OpenSAML-C PlusPlus library and service provider advisory

Applies to

• EZproxy

Answer

A parameter manipulation vulnerability has been reported when using C++ and a versions of the OpenSAML library below V3.3.1.

Is EZproxy affected?  No, EZproxy is not impacted.  It is not coded in C++ and does not utilize any OpenSAML library.

Key points regarding EZproxy's implementation include:

• No usage of OpenSAML headers, dependencies, or function calls.
• SAML functionality is implemented using XMLSec, OpenSSL, and custom code.
• Dependencies include libxmlsec1.a, libxmlsec1-openssl.a, libxml2.a, libssl.a, and libcrypto.a.
• There are no references to OpenSAML in the build configuration.

Additional information

For more details on this advisory, please refer to: https://shibboleth.net/pipermail/ann...ch/000337.html
 

Page ID