Source: python-pysaml2 Version: 4.5.0-5 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 4.5.0-4
Hi, The following vulnerability was published for python-pysaml2. CVE-2020-5390[0]: | PySAML2 before 5.0.0 does not check that the signature in a SAML | document is enveloped and thus signature wrapping is effective, i.e., | it is affected by XML Signature Wrapping (XSW). The signature | information and the node/object that is signed can be in different | places and thus the signature verification will succeed, but the wrong | data will be used. This specifically affects the verification of | assertion that have been signed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5390 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5390 [1] https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
