* Advisory ID: DRUPAL-SA-CONTRIB-2017-043
* Project: Shibboleth authentication
* Version: 7.x
* Date: 2017-May-03
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Access bypass, Information Disclosure
This module enables you to login via Shibboleth.
The module doesn't sufficiently logout the user when the shib session
expires, which depending on the caching mechanism makes private data public.
This vulnerability is mitigated by the fact that shib_auth would have to be
used in combination with a caching mechanism which caches content for
* 7.x-4.x versions prior to 7.x-4.4.
Drupal core is not affected. If you do not use the contributed Shibboleth
authentication module, there is nothing you need to do.
Install the latest version:
* If you use the shib_auth module for Drupal 7.x, upgrade to shib_auth
Also see the Shibboleth authentication project page: https://www.drupal.org/project/shib_auth