-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Subject: [Important] CVE-2016-8638: SAML2: DoS via logging out all open SAML2 sessions

Description
===========

A vulnerability in ipsilon was found that allows attacker to log out active
sessions of other users. This issue is related to how it tracks sessions, and
allows an unauthenticated attacker to view and terminate active sessions from
other users.


Affected versions
=================

All versions of Ipsilon 2.0 before 2.0.2 are vulnerable.
All versions of Ipsilon 1.2 before 1.2.1 are vulnerable.
All versions of Ipsilon 1.1 before 1.1.2 are vulnerable.
All versions of Ipsilon 1.0 before 1.0.3 are vulnerable.

Patched versions
================

Ipsilon versions 2.0.2, 1.2.1, 1.1.2 and 1.0.3 are available per direct, and
all include patches to solve this problem.

Credit
======

This issue was reported by Patrick Uiterwijk of Red Hat and Howard Johnson.

Link
====

This advisory is available on https://ipsilon-project.org/advisory/CVE-2016-8638.txt
The version on the website might be updated as more information becomes available.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYMtRsAAoJEIZXmA2atR5QdrUP/R1ik8bHvSgxm48v3AyjSWKe
XIqzyCvMWA7vGQ4NZ56TMIa6vSKpzyb6MMslMOhhanH7MVhYxIVFUhDPGQT0L5FB
kUT4nKt4LliKQA8b4gjtGZJwxKTQZaiOS0mQkdGeGFqVHk7k5Be+93+hN7JHNx4V
Oa5e4Pjdhf+J8boDlMHe30B1R1n8luszzKrdppZuBKV06PJnm4xkpP3dLuoOUUhd
ytfSIj6mFzJ6+sQTwaVxIzxlFy49D2TRfa5vtYCT1Tfql2wn2HnfhO7nGLz3tOz2
vJ563A8dPs4r2cDJeCkR6qmV6HvJAGnsLVAzguHRXO5sCWZ/TDaoPq2WG8b3tHC/
R3CMJKzHMQPNVpoOnHEAYObHDUgiR2Fdy3vfSI9XhFUpU0aYr3jUGIBOIrPcpFM/
2OgNR4UZXyrU5wT31ejztJ+j7hqAZzmbT9DTeSZqQI6bmwR1+Cc8SrTVPzZ0+qvs
uHSKfO3pLQDGV0ZV+3aW5wKDn6CkKeUuoOi5heuLyhJSo7DGRTUnVGFIp/a2SDdN
Y0LNg0EMQWTJSgK9OvvsK6DcnisS0qPYoOY1PrX6rX5xEs0T07lEgQiYrV4uOIIk
pcw94F1qA/+I6cx+RiBYuNBKwxnRUbHqyjpS7ReX6BW3Te3BF4I7SshZ36ZgMYzV
3QFnUStSq9hzT8slRbQD
=7PdW
-----END PGP SIGNATURE-----