The Shibboleth project has released two important announcements that warrant replication throughout the InCommon federation. Consider joining the Shibboleth email lists below if you haven't received notice.
1. Shibboleth
The Shibboleth Project issued a critical security advisory on Monday, July 25, with the discovery of a vulnerability in the project’s OpenSAML software. Any software dependent on OpenSAML is affected. In particular, Shibboleth itself is vulnerable.
The vulnerability affects both the Identity Provider and Service Provider deployments and is rated as "critical" for the Service Provider and "important" for the Identity Provider. If you have Shibboleth deployed, you should take immediate steps to apply the updates. The security advisory includes details on the vulnerability, specific recommendations for upgrading the OpenSAML software, and information on mitigating the attacks in an IdP.
The complete security advisory, including the information on upgrades and mitigation, are available at:http://shibboleth.internet2.edu/secadv/secadv_20110725.txt
Since the announcement yesterday, discussion on the Shib Users list contains helpful links and commands:http://bit.ly/oL8UNH
2. XMLSecTool
If you rely on scripts outside the Shibboleth software itself that use xmlsectool to verify the signature on InCommon metadata, you need to upgrade xmlsectool as well:http://bit.ly/nm77Jo
3. Mailing Lists
If you manage Shibboleth, you should be on the Announce list. You may also consider the more the highly-trafficked Users list.http://shibboleth.internet2.edu/lists.html