[Bug 1822069] Re: SRU: Shibboleth SPv3 for bionic

Etienne Dysli Metref 1822069 at bugs.launchpad.net
Mon Apr 8 09:47:50 UTC 2019 

Hi Robie,

Thank you for taking the time to review this SRU. I've considered the
use cases of Shibboleth packages and searched for reverse dependencies
and here is what I can say.

All five source packages are maintained by Shibboleth project developers
as components of the Shibboleth Service Provider. Usage of the libraries
for other purposes is generally not supported.

# log4shib
 -  It's a library, so there are no direct use cases.
 -  This new major version has a new SONAME so it is distinct from the older version.
 -  Reverse dependencies: moonshot-gss-eap depends on libshibresolver1 which in turn depends on liblog4shib1v5. libshibresolver1 should keep using the current liblog4shib1v5 instead of the newer liblog4shib2. I cannot further comment on the impact upon Moonshot-related packages, but I can ask their Debian maintainer if needed.

    $ reverse-depends -r bionic src:log4shib
    Reverse-Depends
    ===============
    * libsaml9                      (for liblog4shib1v5)
    * libshibresolver1              (for liblog4shib1v5)
    * libshibsp7                    (for liblog4shib1v5)
    * libxmltooling-dev             (for liblog4shib-dev)
    * libxmltooling7                (for liblog4shib1v5)
    * opensaml2-tools               (for liblog4shib1v5)
    * shibboleth-sp2-utils          (for liblog4shib1v5)

# xml-security-c
 -  It's (mostly) a library, so no direct uses cases are expected. A few utility programs are shipped in xml-security-c-utils (/usr/bin/xsec-*), however these are not used for operating a Shibboleth SP. I don't have data on direct uses of these utilities.
 -  This new major version has a new SONAME so it is distinct from the older version.
 -  There are no reverse dependencies outside of Shibboleth packages.

    $ reverse-depends -r bionic src:xml-security-c
    Reverse-Depends
    ===============
    * libsaml9                      (for libxml-security-c17v5)
    * libshibsp7                    (for libxml-security-c17v5)
    * libxmltooling-dev             (for libxml-security-c-dev)
    * libxmltooling7                (for libxml-security-c17v5)

# xmltooling
 -  It's a library, so there are no direct use cases.
 -  This new major version has a new SONAME so it is distinct from the older version.
 -  Reverse dependencies: moonshot-gss-eap and libshibresolver1 both depend on libxmltooling7. The same comment as above applies for Moonshot-related packages.

    $ reverse-depends -r bionic src:xmltooling
    Reverse-Depends
    ===============
    * libapache2-mod-shib2          (for libxmltooling7)
    * libsaml2-dev                  (for libxmltooling-dev)
    * libsaml9                      (for libxmltooling7)
    * libshibresolver1              (for libxmltooling7)
    * libshibsp-dev                 (for libxmltooling-dev)
    * libshibsp-plugins             (for libxmltooling7)
    * libshibsp7                    (for libxmltooling7)
    * libshibsp7                    (for xmltooling-schemas)
    * moonshot-gss-eap              (for libxmltooling7)
    * opensaml2-tools               (for libxmltooling7)
    * shibboleth-sp2-utils          (for libxmltooling7)

# opensaml
 -  It's (mostly) a library, so no direct uses cases are expected. One utility program is shipped in opensaml-tools (/usr/bin/samlsign), however it is not used for operating a Shibboleth SP. I don't have data on direct uses of this utility.
 -  This new major version has a new SONAME so it is distinct from the older version.
 -  Reverse dependencies: moonshot-gss-eap and libshibresolver1 both depend on libsaml9. The same comment as above applies for Moonshot-related packages.

    $ reverse-depends -r bionic src:opensaml2
    Reverse-Depends
    ===============
    * libshibresolver1              (for libsaml9)
    * libshibsp-dev                 (for libsaml2-dev)
    * libshibsp-plugins             (for libsaml9)
    * libshibsp7                    (for opensaml2-schemas)
    * libshibsp7                    (for libsaml9)
    * moonshot-gss-eap              (for libsaml9)
    * shibboleth-sp2-utils          (for libsaml9)

# shibboleth-sp
 -  Direct use: running a Shibboleth SP. shibd's version 3 is backward-compatible with version 2 configuration (/etc/shibboleth/shibboleth2.xml) and can run with the existing old configuration. Following the emitted deprecation warnings and upgrading to the v3 configuration format is however recommended. I've upgraded several SPs from v2 to v3 and they all run fine with the old configuration.
 -  Reverse dependencies: moonshot-gss-eap and libshibresolver1 both depend on libshibsp7. The same comment as above applies for Moonshot-related packages.

    wordpress-shibboleth depends on libapache2-mod-shib2: In this case,
users of wordpress-shibboleth would be better served by this upgrade
because their Apache+PHP installation would then only depend on
libcurl4, dropping the conflicting dependency on libcurl3. The
dependency on libapache2-mod-shib2 will trigger an upgrade to libapache2
-mod-shib (part of the v3 stack).

    $ reverse-depends -r bionic src:shibboleth-sp2
    Reverse-Depends
    ===============
    * libshibresolver1              (for libshibsp7)
    * moonshot-gss-eap              (for libshibsp7)
    * wordpress-shibboleth          (for libapache2-mod-shib2)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1822069

Title:
  SRU: Shibboleth SPv3 for bionic

Status in log4shib package in Ubuntu:
  New
Status in opensaml package in Ubuntu:
  New
Status in opensaml2 package in Ubuntu:
  New
Status in shibboleth-sp package in Ubuntu:
  New
Status in shibboleth-sp2 package in Ubuntu:
  New
Status in xml-security-c package in Ubuntu:
  New
Status in xmltooling package in Ubuntu:
  New

Bug description:
  [Impact]

  Bionic released with version 2 of the Shibboleth Service Provider (and
  its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2
  isn't compatible with OpenSSL 1.1, only 1.0 (and earlier), and was
  therefore shipped compiled against 1.0. This created a mix of OpenSSL
  and libcurl versions between the Apache module that the Shibboleth SP
  provides (mod_shib) and other modules, thus rendering mod_shib
  uninstallable alongside other modules (that depend on libcurl4)
  because of that conflict. Not being able to use mod_shib and mod_php
  with php-curl -- for example -- together greatly reduces the
  usefulness of the Shibboleth SPv2 in bionic, see LP#1776489. Version 3
  of the Shibboleth SP is compatible with OpenSSL 1.1 and having it
  available for bionic would allow users to install it together with
  other Apache modules.

  Moreover, the SPv2 suffers from a few security issues (LP#1636590)
  which have since been fixed upstream and v2 is no longer supported
  upstream (EOL, LP#1812401).

  I propose to update the following source packages in bionic:
  - shibboleth-sp to 3.0.4 (sync request for disco LP#1822055)
  - opensaml to 3.0.1 (sync request for disco LP#1823325)
  - xmltooling to 3.0.4
  - xml-security-c to 2.0.2
  - log4shib to 2.0.0

  [Test Case]

  # apt install apache2 libapache2-mod-shib2
  [...]
  # apt install libapache2-mod-php php-curl
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Some packages could not be installed. This may mean that you have
  requested an impossible situation or if you are using the unstable
  distribution that some required packages have not yet been created
  or been moved out of Incoming.
  The following information may help to resolve the situation:

  The following packages have unmet dependencies:
   php-curl : Depends: php7.2-curl but it is not going to be installed
  E: Unable to correct problems, you have held broken packages.

  # apt install php7.2-curl
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Some packages could not be installed. This may mean that you have
  requested an impossible situation or if you are using the unstable
  distribution that some required packages have not yet been created
  or been moved out of Incoming.
  The following information may help to resolve the situation:

  The following packages have unmet dependencies:
   php7.2-curl : Depends: libcurl4 (>= 7.44.0) but it is not going to be installed
  E: Unable to correct problems, you have held broken packages.

  # apt install libcurl4
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  The following packages were automatically installed and are no longer required:
    libcurl3-gnutls libfcgi-bin libfcgi0ldbl liblog4shib1v5 libltdl7 libmemcached11 libodbc1 libssl1.0.0 libxerces-c3.2 libxml-security-c17v5 opensaml2-schemas shibboleth-sp2-common xmltooling-schemas
  Use 'apt autoremove' to remove them.
  The following packages will be REMOVED:
    libapache2-mod-shib2 libcurl3 libsaml9 libshibsp-plugins libshibsp7 libxmltooling7 shibboleth-sp2-utils
  The following NEW packages will be installed:
    libcurl4
  0 upgraded, 1 newly installed, 7 to remove and 0 not upgraded.
  Need to get 214 kB of archives.
  After this operation, 18.7 MB disk space will be freed.
  Do you want to continue? [Y/n] n
  Abort.

  [Regression Potential]
  A new version can, of course, bring new bugs and security vulnerabilities. Catching up to SPv3 would at least give us an upstream-supported version. Shibboleth SP 3.0.4 and its dependencies are, as of this writing, all in Debian testing without any major bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/log4shib/+bug/1822069/+subscriptions

More information about the Ubuntu-sponsors mailing list