A flaw was found in Shibboleth XMLTooling-C. Versions before 1.6.3 mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD.
The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.
Created xmltooling tracking bugs for this issue:
Affects: fedora-all [bug 1534648]
Only C++ versions of xmltooling are affected, not Java. Marking JON as not affected.
For the same reason Fuse is not affected either.
Chess: Can you check JPP and JDG?
JDG ships java version. Notaffected. JPP does not appear to ship, but would be a WONTFIX anyway.
Closing flaw. Nothing to do.