Shibboleth security vulnerability

A security vulnerability has been found in the Shibboleth from the Internet2. If you are running Shibboleth in anger, update to the latest version immediately. From the wiki page:

The cause of the bug is the many-to-one mapping of header names to CGI variable names due to upcasing and replacement of some separator characters with underscores. It's exacerbated by the fact that different web servers use different rules, particularly with regard to how non-alphanumeric characters are handled. Some are turned to underscores, and some are left alone, resulting in strange or even technically invalid CGI variable names.

The unpredictability makes it difficult to prevent a client from sending a creatively malformed header that will map to an expected CGI variable reserved by an application for a particular user attribute. The techniques used to "clear" client-sent headers that might conflict were inadequate.

Shibboleth an authentication and authorisation framework and is most commonly presented to web surfers as some variant of "single sign on." I'm lucky that the project I'm using Shibboleth on (the Sakai VRE demonstrator project) is not yet in production mode and because we're not actually protecting any resources or serving any real users we can just shut it down until we have time to upgrade. Even though it doesn't let anyone access anything, we can't leave it up because Shibboleth presents user attributes (or properties) thus potentially leaking user information.