-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi all,
We hereby announce the immediate availability of Ipsilon release 1.0.2 and 1.1.1.
These releases both have a fix for CVE-2015-5301[1].
This security issue made it possible for any authenticated user to remove a Service
Provider from Ipsilon, possibly resulting in a denial of service.
If you use the SAML2 identity provider plugin, we would suggest you to update as soon
as possible.
These updates do not necesitate a database upgrade within the respective release paths.
More information on the releases can be viewed on the release pages for 1.0.2[2] and
1.1.1[3].
To download the newest release, please go to https://fedorahosted.org/ipsilon/wiki/Releases
[1]: https://access.redhat.com/security/cve/CVE-2015-5301
[2]: https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.2
[3]: https://fedorahosted.org/ipsilon/wiki/Releases/v1.1.1
- - - --
With kind regards,
Patrick Uiterwijk
Fedora Infra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWHnImAAoJEIZXmA2atR5QyZYQAIJnMdSIMzw1b1rWKvYuxSNC
JEUyUpo8OmiQ6HHAelmEsK7iqhXzTf/jUXArfOV9khja1GWteTGfmW198aEV2nW8
ztgkWin9gAF3jtznEG0indZ60qCik9zwxDj2WB4/u40YEqtdvKGJ6H2qABXbnqqs
ExHx9VtkZ6fT73qQuBxPjrXR+Dw/K65ua6u8wKNB7t7KR43mjy5IVi5g2I4kFm30
lR+hlxxOUbVW8Tb27FSEzhRLl+agmDcAenUjapSK5pCTJlNSHn0qGfvFOYYR2IdU
/T+wimYsoiaxu+TbyyGuhsStv4BHc2QzoGioVMvF2vrnGxA0J7u2nUXdBwAyzRiT
DhS0GfSpN6CIrr9VpA7/eXcLGOVNfJgd1Jf0ZWgi5zay0+DpBFQ5L+Y5/7JVxV8r
bu+av4ujVPoPPHzWyO7GiB0s4mZ00gJSqZsjYxKu48wW2e3u78tRXCNei48gkM1l
MJG25s10CaDx2Dr5gDTP/Qf2y8uNzmXynjDCYNOmWEqyoF07gzzM/3b6v9iqXHsB
oiNEHxHAU0P/FjPRPZDtPtkVT5O8tzzmLO9PrSjtZ5gEkGZCB/8tOJD2aKOcr67m
Be8dMpbCTB7wxKS9YsUsejoay9oBst9ti56KARZsZ8FJwRCRiQ43lAFDZx/UfT19
K4PvHI0lVjdnejNuU46a
=H8Dz
-----END PGP SIGNATURE-----
On 10/01/2015 02:27 AM, Jamie Lennox wrote:
> Starting a new thread as there was nowhere that really made sense to
> inject into the old one.
>
> I rolled back ipsilon to 1.0 and have done some hacks to get it
> running again. I haven't pushed changes yet but they will be there by
> the time everyone gets up tomorrow.
>
> John, I'm hitting the transaction ID issue from 1.1 in 1.0 now.
[ backtrace snipped for brevity]
> I'll have a quick look into the issue but i expect it's easier for you
> to handle it as you have already found the problem.
I can't explain why this problem reared it's head or exactly what
changed in what version. However, the most expedient solution is to
remove the code that is causing the exception to be raised. This is safe
because the exception is being raised when trying to save a value for
later use, but no one uses that value, it was put there for
bullet-proofing rather than necessity. In hindsight saving the SAML
binding in the transaction was probably ill-conceived because a binding
is specific to the current stage in a transaction series, as such it
should be saved in a transaction.
Attached is proposed patch, it's just deleting a block of code.
Please try it and let me know if it solves the problem, or give me
access to your VM's and I'll try it myself.
> I haven't filed a bug anywhere, i wasn't sure if you'd done that already.
I have opened ipsilon ticket #177
(https://fedorahosted.org/ipsilon/ticket/177)
--
John