1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted opensaml 3.2.1-3+deb12u1 (source) into proposed-updates

    From Debian FTP Masters@21:1/5 to All on Wed Mar 19 20:50:01 2025
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Fri, 14 Mar 2025 21:47:50 +0100
    Source: opensaml
    Architecture: source
    Version: 3.2.1-3+deb12u1
    Distribution: bookworm-security
    Urgency: high
    Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net> Changed-By: Ferenc Wágner <wferi@debian.org>
    Closes: 1100464
    Changes:
    opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
    .
    * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
    detect parameter smuggling.
    Security fix cherry-picked from v3.3.1 (upstream commit
    22a610b322e2178abd03e97cdbc8fb50b45efaee).
    Parameter manipulation allows the forging of signed SAML messages
    =================================================================
    A number of vulnerabilities in the OpenSAML library used by the
    Shibboleth Service Provider allowed for creative manipulation of
    parameters combined with reuse of the contents of older requests
    to fool the library's signature verification of non-XML based
    signed messages.
    Most uses of that feature involve very low or low impact use cases
    without critical security implications; however, there are two
    scenarios that are much more critical, one affecting the SP and
    one affecting some implementers who have implemented their own
    code on top of our OpenSAML library and done so improperly.
    The SP's support for the HTTP-POST-SimpleSign SAML binding for
    Single Sign-On responses is its critical vulnerability, and
    it is enabled by default (regardless of what one's published
    SAML metadata may advertise).
    The other critical case involves a mistake that does *not*
    impact the Shibboleth SP, allowing SSO to occur over the
    HTTP-Redirect binding contrary to the plain language of the
    SAML Browser SSO profile. The SP does not support this, but
    other implementers may have done so.
    Contrary to the initial publication of this advisory, there is no
    workaround within the SP configuration other than to remove the
    "SimpleSigning" security policy rule from the security-policy.xml
    file entirely.
    That will also prevent support of legitimate signed requests or
    responses via the HTTP-Redirect binding, which is generally used
    only for logout messages within the SP itself. Removing support
    for that binding in favor of HTTP-POST in any published metadata
    is an option of course.
    Full advisory:
    https://shibboleth.net/community/advisories/secadv_20250313.txt
    Thanks to Scott Cantor (Closes: #1100464)
    Checksums-Sha1:
    22cd592016a1f2668925c004fd5873ebb365769a 2769 opensaml_3.2.1-3+deb12u1.dsc
    046bd41c342174050be8ee370ba681c6a45c76d8 600699 opensaml_3.2.1.orig.tar.bz2
    8b962fb6269e4c524f8681226ed52ffa807d6a42 833 opensaml_3.2.1.orig.tar.bz2.asc
    4b56709c4c0b64b633837f26a980b8ee245bbebc 20452 opensaml_3.2.1-3+deb12u1.debian.tar.xz
    5b36473a702919f4123b17fb236f20cc233bb082 11770 opensaml_3.2.1-3+deb12u1_amd64.buildinfo
    Checksums-Sha256:
    e6108b5348f40a95cc2f972325de5c8eb38b358e702dd05e35b04eb18361df11 2769 opensaml_3.2.1-3+deb12u1.dsc
    b402a89a130adcb76869054b256429c1845339fe5c5226ee888686b6a026a337 600699 opensaml_3.2.1.orig.tar.bz2
    406847d5adee9400ddc4646580cafd9bd727a8eecb955fb0987a05ec0f2159e0 833 opensaml_3.2.1.orig.tar.bz2.asc
    7c5c1470b5d9dab3fcabca1d7683525dbeee8f566977d7aaddf7040f24db0fd0 20452 opensaml_3.2.1-3+deb12u1.debian.tar.xz
    641e7f422c7f3bfc41ee4b01f47c4d7c87ec6e2c82868c769df699d1fd5747b2 11770 opensaml_3.2.1-3+deb12u1_amd64.buildinfo
    Files:
    a025e9c730fa564cc162dc9fb1abed4e 2769 libs optional opensaml_3.2.1-3+deb12u1.dsc
    a4c08783eb5078be3bbe2ca6b6c7b806 600699 libs optional opensaml_3.2.1.orig.tar.bz2
    4d2a57e6af9cb2d36702352e1fd8b806 833 libs optional opensaml_3.2.1.orig.tar.bz2.asc
    464f94347af15f78b0e7ad5092b0db18 20452 libs optional opensaml_3.2.1-3+deb12u1.debian.tar.xz
    066fd348e10cd1c34b27323a62fc5277 11770 libs optional opensaml_3.2.1-3+deb12u1_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmfUl54ACgkQOsj3Fkd+ 2yMwIxAAl3Qq18XRVULWG1oaM3CBqYt0DpZUfVWp81Fwbpwc33M+SGhXm8NQgau8 A6myAinVKNnJ0uoKQxu8JeU7uG7/neRHwFotX/cYq285VceMn0yI7xQiOU7wc/2N oKAvIb9UvgIYbb1hzmNcnhWln8mlyIhTDRSfU3CF2ZB/9W+DSvOhbAPUocws1VR+ 5wSESfE6BeBgJEahX9IA2TcOZPgia8qo9pcSkK8ZG+46Ky7kYPo3zsM7mSJTU2O0 bMtSAoZcTpCoqYgC5FHP/SobJrLjs68wINXrD3vjbLfXC81ehjybUDMUAGnd/ayP ImES2YzTwELpMWnd+TIRIKP03cvt4waG8EMlsNE8PmcbWftjaNR+5x8JnSdJM3Va gzz6NkgR8I8HpKelyInBVxL8jY+Yt5pHYa/457AXV6ycwW6gvVgCkh9Jit5p+cPD NgPcugvvLCEq6w2s4789Gadzi3NgDqOpzz0w0E9Y84KK/Mun7806YGyhB/2gznu+ 8w5hMDcLjwIlyzpWhCIHdXiHtiikZ7h6PgoEV+q4fMgPxeFpJ9W5EC+S4imVgzPa 7ifkVxoV3mZhI2V9kYjGW75Wy3E7tz56/i6b9QjPgl/XJg6/bbyI148gFPdiK0Sj OxhceeIRyhnHPx4gnH8m5Qsicpb5iUNpIX6YhqJ83zd6Ix03PcI=
    =nInB
    -----END PGP SIGNATURE-----


    --==============ë15089231129720339=Content-Type: application/pgp-signature

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZ9sfRQAKCRCb9qggYcy5 IYT9AP4ppZ3QS97QZ9PPcEP0jbpDhc3fjRkM99Vfgj43xyYxGwEAov2Et5Oj7MhW g7046CWH5h/jh6wJB7Lpb3sSb4UKoQ4=9yaV
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)