[Bug 1822069] [NEW] SRU: Shibboleth SPv3 for bionic
Launchpad Bug Tracker
1822069 at bugs.launchpad.net
Wed Jun 26 06:11:19 UTC 2019
You have been subscribed to a public bug by Etienne Dysli Metref (etienne-dysli-metref):
[Impact]
Bionic released with version 2 of the Shibboleth Service Provider (and
its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2
isn't compatible with OpenSSL 1.1, only 1.0 (and earlier), and was
therefore shipped compiled against 1.0. This created a mix of OpenSSL
and libcurl versions between the Apache module that the Shibboleth SP
provides (mod_shib) and other modules, thus rendering mod_shib
uninstallable alongside other modules (that depend on libcurl4) because
of that conflict. Not being able to use mod_shib and mod_php with php-
curl -- for example -- together greatly reduces the usefulness of the
Shibboleth SPv2 in bionic, see LP#1776489. Version 3 of the Shibboleth
SP is compatible with OpenSSL 1.1 and having it available for bionic
would allow users to install it together with other Apache modules.
Moreover, the SPv2 suffers from a few security issues (LP#1636590) which
have since been fixed upstream and v2 is no longer supported upstream
(EOL, LP#1812401).
I propose to update the following source packages in bionic:
- shibboleth-sp [not in Bionic] to 3.0.4 (sync request for disco LP#1822055)
- opensaml [not in Bionic] to 3.0.1 (sync request for disco LP#1823325)
- xmltooling from 1.6.4-1ubuntu2.1 [Cosmic 3.0.2-1ubuntu1.1] to 3.0.4
- xml-security-c from 1.7.3-4ubuntu0.1 [Cosmic 2.0.1-1] to 2.0.2
- log4shib from 1.0.9-3 to 2.0.0
- shibboleth-resolver from 1.0.0-1build4 to 3.0.0
[Test Case]
# apt install apache2 libapache2-mod-shib2
[...]
# apt install libapache2-mod-php php-curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php-curl : Depends: php7.2-curl but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
# apt install php7.2-curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php7.2-curl : Depends: libcurl4 (>= 7.44.0) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
# apt install libcurl4
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libcurl3-gnutls libfcgi-bin libfcgi0ldbl liblog4shib1v5 libltdl7 libmemcached11 libodbc1 libssl1.0.0 libxerces-c3.2 libxml-security-c17v5 opensaml2-schemas shibboleth-sp2-common xmltooling-schemas
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
libapache2-mod-shib2 libcurl3 libsaml9 libshibsp-plugins libshibsp7 libxmltooling7 shibboleth-sp2-utils
The following NEW packages will be installed:
libcurl4
0 upgraded, 1 newly installed, 7 to remove and 0 not upgraded.
Need to get 214 kB of archives.
After this operation, 18.7 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
[Regression Potential]
A new version can, of course, bring new bugs and security vulnerabilities. Catching up to SPv3 would at least give us an upstream-supported version. Shibboleth SP 3.0.4 and its dependencies are, as of this writing, all in Debian testing without any major bug.
** Affects: log4shib (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: opensaml (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: opensaml2 (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: shibboleth-resolver (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: shibboleth-sp (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: shibboleth-sp2 (Ubuntu)
Importance: Undecided
Status: Confirmed
** Affects: xml-security-c (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: xmltooling (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: log4shib (Ubuntu Bionic)
Importance: Undecided
Status: Fix Released
** Affects: opensaml2 (Ubuntu Bionic)
Importance: Undecided
Status: Invalid
** Affects: shibboleth-resolver (Ubuntu Bionic)
Importance: Undecided
Status: Fix Released
** Affects: shibboleth-sp2 (Ubuntu Bionic)
Importance: Undecided
Status: Invalid
** Affects: xml-security-c (Ubuntu Bionic)
Importance: Undecided
Status: Fix Released
** Affects: xmltooling (Ubuntu Bionic)
Importance: Undecided
Status: Fix Released
** Affects: log4shib (Ubuntu Cosmic)
Importance: Undecided
Status: Fix Released
** Affects: opensaml2 (Ubuntu Cosmic)
Importance: Undecided
Status: Invalid
** Affects: shibboleth-resolver (Ubuntu Cosmic)
Importance: Undecided
Status: Fix Released
** Affects: shibboleth-sp2 (Ubuntu Cosmic)
Importance: Undecided
Status: Invalid
** Affects: xml-security-c (Ubuntu Cosmic)
Importance: Undecided
Status: Fix Released
** Affects: xmltooling (Ubuntu Cosmic)
Importance: Undecided
Status: Fix Released
** Tags: bionic
--
SRU: Shibboleth SPv3 for bionic
https://bugs.launchpad.net/bugs/1822069
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list