OpenSAML-C PlusPlus library and service provider advisory
Applies to
- EZproxy
Answer
A parameter manipulation vulnerability has been reported when using C++ and a versions of the OpenSAML library below V3.3.1.
Is EZproxy affected? No, EZproxy is not impacted. It is not coded in C++ and does not utilize any OpenSAML library.
Key points regarding EZproxy's implementation include:
- No usage of OpenSAML headers, dependencies, or function calls.
- SAML functionality is implemented using XMLSec, OpenSSL, and custom code.
- Dependencies include libxmlsec1.a, libxmlsec1-openssl.a, libxml2.a, libssl.a, and libcrypto.a.
- There are no references to OpenSAML in the build configuration.
Additional information
For more details on this advisory, please refer to: https://shibboleth.net/pipermail/ann...ch/000337.html