[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[upki-fed:01064] Shibboleth SP脆弱性情報にかかる補足(Re: Shibboleth SP の脆弱性について (2016/5/6)



$B3XG'>pJs8r49(BML$B;22CpJs3X8&5f=j!!3XG';vL36I$NLnED$G$9!#(B
$BJ?AG$h$j3XG'$N1?1D$K$46(NO$r;r$j!$$"$j$,$H$&$4$6$$$^$9!#(B


2016/5/6$B$KK\%a!<%j%s%0%j%9%H$K$F$40FFb$$$?$7$^$7$?!$(BShibboleth SP$B$N(B
$B@HpJs$r$*CN$i$;$$$?$7$^$9!#(B

2016/6/29$B$K(BShibboleth V2.6.0([2])$B$,%j%j!<%9$5$l$^$7$?!#(B

$B:#8e!$(BignoreCase$B$OHs?d>)@_Dj$H$J$j$^$9!#(B
[1]$B$N%"%J%&%s%9$K=>$C$F!$@_Dj%U%!%$%k(B(shibboleth2.xml)$B$N(BPathRegex$BMWAG$K(B
$BDj5A$5$l$?(BignoreCase$BB0@-$r=$@5$7$?(BSP(*)$B$O!$(BSP$B$r%"%C%W%G!<%H$7$?>e$G!$(B
ignoreCase$B$+$i(BcaseSensitive$B$X$NCV$-49$($rl9g$O!$(BcaseSensitive=true$B$KCV$-49$($F$/$@$5$$!#(B
  ($BBgJ8;z>.J8;z$r6hJL$9$k(B)

- ignoreCase=false$B$N>l9g$O!$(BcaseSensitive=false$B$KCV$-49$($F$/$@$5$$!#(B
  ($BBgJ8;z>.J8;z$r6hJL$7$J$$(B)

(*) - $BA02s$N%"%J%&%s%9;~$K=$@5$7$?$+$I$&$+ITL@$J>l9g$O!$(B<PathRegex>$B$N(B
ignoreCase$B$,4|BT$9$kF0:n$H0lCW$9$k$+3NG'$7$F$/$@$5$$!#I=5->e4|BT$9$kF0(B
$B:n$H5U$N@_Dj$,$5$l$F$$$l$P=$@5:Q$_$G$9!#$$$:$l$K$7$F$b!$(BSP$B%"%C%W%G!<%H(B
$B8e4|BT$9$kF0:n$K9g$o$;$?(BcaseSensitive$B$KCV$-49$($F$/$@$5$$!#$^$?!$$I$A$i(B
$B$b;XDj$5$l$F$$$J$$(B<PathRegex>$B$,8+$D$+$C$?>l9g$O!$[#Kf$5$r$J$/$9$?$aE,@Z(B
$B$J(BcaseSensitive$B$rA^F~$7$F$*$/$3$H$r$*4+$a$7$^$9!#(B

$B$^$?!$B>$NMWAG(B(RuleRegex, HostRegex)$B$N(BignoreCase$BB0@-$K$D$$$F$bF1MM$KHs(B
$B?d>)@_Dj$H$J$j$^$9$N$G!$$4;HMQ$N>l9g$K$O(BcaseSensitive$B$X$NCV$-49$($r$*(B
$B4+$a$7$^$9!#(B

PathRegex$BMWAG0J30$N(BignoreCase$BB0@-$K$D$$$F$O!$(B[1]$B$G%"%J%&%s%9$NI>2A$,H?(B
$BE>$9$kLdBj$O$"$j$^$;$s$N$G!$0J2<$NDL$jCV$-49$($rl9g$O!$(BcaseSensitive=true$B$KCV$-49$($F$/$@$5$$!#(B
  ($BBgJ8;z>.J8;z$r6hJL$9$k(B)

- ignoreCase=true$B$N>l9g$O!$(BcaseSensitive=false$B$KCV$-49$($F$/$@$5$$!#(B
  ($BBgJ8;z>.J8;z$r6hJL$7$J$$(B)

$B;29M>pJs(B:

[1] [upki-fed:01044] Shibboleth SP $B$N@Hhttps://www.gakunin.jp/ml-archives/upki-fed/msg01032.html

[2] Service Provider V2.6.0 Now Available
https://wiki.shibboleth.net/confluence/display/NEWS/2016/06/29/Service+Provider+V2.6.0+Now+Available






On 2016/05/06 14:24, $B9qN)>pJs3X8&5f=j!!3XG';vL36I!!LnED(B wrote:
$B3XG'>pJs8r49(BML$B;22CpJs3X8&5f=j!!3XG';vL36I$NLnED$G$9!#(B
$BJ?AG$h$j3XG'$N1?1D$K$46(NO$r;r$j!$$"$j$,$H$&$4$6$$$^$9!#(B



Shibboleth Project$B$h$j!$(BShibboleth SP$B$K4X$9$k@Hl9g$K(B
$B$O8e=R$N$4BP1~$r$*4j$$$$$?$7$^$9!#(B

----------------------------------------------------------------------
Shibboleth SP$B$N(Bshibboleth2.xml$BEy$N@_Dj%U%!%$%k$K$F!$(BPathRegex$BMWAG$N(B
ignoreCase$BB0@-$NI>2A$,H?E>$7$F$$$kIT6q9g$,H/8+$5$l$^$7$?!#(B
$BK\IT6q9g$K$h$j!$(BPathRegex$B$NI>2A7k2L$O0J2<$H$J$j$^$9!#%G%U%)%k%HCM$O(B
true$B$G$9!#(B

- ignoreCase=true  $B$N>l9g$K(B case-sensitive ($BBgJ8;z>.J8;z$r6hJL$9$k(B)
- ignoreCase=false $B$N>l9g$K(B case-insensitive ($BBgJ8;z>.J8;z$r6hJL$7$J$$(B)

PathRegex$BMWAG$r;HMQ$7$F$$$k>l9g$O!$(BignoreCase$BB0@-$,Dj5A$5$l$F$$$k$+$43N(B
$BG'$$$?$@$-!$0J2<$NDL$j@_Dj$7$F$/$@$5$$!#(B

- ignoreCase$BB0@-$,Dj5A$5$l$F$$$k>l9g$O!$@_DjCM$rH?E>$7$F$/$@$5$$!#(B
   ("true"$B$N>l9g$O(B"false"$B$KJQ99!$(B"false"$B$N>l9g$O(B"true"$B$KJQ99(B)

- ignoreCase$BB0@-$,Dj5A$5$l$F$$$J$$>l9g$O!$(BignoreCase="false"$B$r@_Dj$7$F(B
  $B$/$@$5$$!#(B

$B>e5-@_DjJQ998e$N(BWeb$B%5!<%P$d(Bshibd$B$N:F5/F0$OITMW$G$9!#(B

$B2F$K%j%j!<%9M=Dj$N(BShibboleth SP$B$N?7%P!<%8%g%s(BV2.6.0$B$G$O!$?7$7$$B0@-$H$7(B
$B$F(B "caseSensitive" $B$,MQ0U$5$l$^$9!#(B
$B$3$l$KH<$$!$=>Mh$N(BignoreCase$B$OHs?d>)@_Dj$H$J$j!$(BignoreCase$B$r;HMQ$7$F$$(B
$B$k>l9g$O7Y9p%a%C%;!<%8$,%m%0$K=PNO$5$l$k$h$&$K$J$j$^$9!#(B

$B>\:Y$O0J2<$N;29M>pJs$r$4;2>H$/$@$5$$!#(B

$B;29M>pJs(B:

[1] shibboleth2.xml configuration Wiki:
https://wiki.shibboleth.net/confluence/x/RYBC

[2] URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20160504.txt




--
=========================================================
$B!!9qN)>pJs3X8&5f=j(B $B3X=Q4pHW2](B $B3XG';vL36I!!!JC4Ev!'LnED!K(B
$B!!(BTEL$B!'(B03-4212-2218$B!!(xxxxxxxxxxxxxxx@xxxxxxxxx
$B!!3XG'(BWeb$B%Z!<%8(B  https://www.gakunin.jp/
$B!!?=@A%7%9%F%`(B   https://office.gakunin.nii.ac.jp/
=========================================================