** Description changed:
[Impact]
Bionic released with version 2 of the Shibboleth Service Provider (and
its accompanying dependencies) and with OpenSSL 1.1. However, the SPv2
isn't compatible with OpenSSL 1.1, only 1.0 (and earlier), and was
therefore shipped compiled against 1.0. This created a mix of OpenSSL
and libcurl versions between the Apache module that the Shibboleth SP
provides (mod_shib) and other modules, thus rendering mod_shib
uninstallable alongside other modules (that depend on libcurl4) because
of that conflict. Not being able to use mod_shib and mod_php with php-
curl -- for example -- together greatly reduces the usefulness of the
Shibboleth SPv2 in bionic, see LP#1776489. Version 3 of the Shibboleth
SP is compatible with OpenSSL 1.1 and having it available for bionic
would allow users to install it together with other Apache modules.
Moreover, the SPv2 suffers from a few security issues (LP#1636590) which
have since been fixed upstream and v2 is no longer supported upstream
(EOL, LP#1812401).
I propose to update the following source packages in bionic:
- - shibboleth-sp to 3.0.4 (sync request for disco LP#1822055)
- - opensaml to 3.0.1 (sync request for disco LP#1823325)
- - xmltooling to 3.0.4
- - xml-security-c to 2.0.2
- - log4shib to 2.0.0
- - shibboleth-resolver 3.0.0
+ - shibboleth-sp [not in Bionic] to 3.0.4 (sync request for disco LP#1822055)
+ - opensaml [not in Bionic] to 3.0.1 (sync request for disco LP#1823325)
+ - xmltooling from 1.6.4-1ubuntu2.1 [Cosmic 3.0.2-1ubuntu1.1] to 3.0.4
+ - xml-security-c from 1.7.3-4ubuntu0.1 [Cosmic 2.0.1-1] to 2.0.2
+ - log4shib from 1.0.9-3 to 2.0.0
+ - shibboleth-resolver from 1.0.0-1build4 to 3.0.0
[Test Case]
# apt install apache2 libapache2-mod-shib2
[...]
# apt install libapache2-mod-php php-curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php-curl : Depends: php7.2-curl but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
# apt install php7.2-curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php7.2-curl : Depends: libcurl4 (>= 7.44.0) but it is not going to be
installed
E: Unable to correct problems, you have held broken packages.
# apt install libcurl4
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer
required:
libcurl3-gnutls libfcgi-bin libfcgi0ldbl liblog4shib1v5 libltdl7
libmemcached11 libodbc1 libssl1.0.0 libxerces-c3.2 libxml-security-c17v5
opensaml2-schemas shibboleth-sp2-common xmltooling-schemas
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
libapache2-mod-shib2 libcurl3 libsaml9 libshibsp-plugins libshibsp7
libxmltooling7 shibboleth-sp2-utils
The following NEW packages will be installed:
libcurl4
0 upgraded, 1 newly installed, 7 to remove and 0 not upgraded.
Need to get 214 kB of archives.
After this operation, 18.7 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
[Regression Potential]
A new version can, of course, bring new bugs and security vulnerabilities.
Catching up to SPv3 would at least give us an upstream-supported version.
Shibboleth SP 3.0.4 and its dependencies are, as of this writing, all in Debian
testing without any major bug.
** Also affects: xml-security-c (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: opensaml (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: shibboleth-sp (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: xmltooling (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: opensaml2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: shibboleth-sp2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: shibboleth-resolver (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: log4shib (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: xml-security-c (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: opensaml (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: shibboleth-sp (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: xmltooling (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: opensaml2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: shibboleth-sp2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: shibboleth-resolver (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: log4shib (Ubuntu Bionic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822069
Title:
SRU: Shibboleth SPv3 for bionic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/log4shib/+bug/1822069/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
