Your message dated Fri, 07 Feb 2020 08:39:36 +0000 with message-id <e1izzam-0003nq...@fasolo.debian.org> and subject line Bug#949322: fixed in python-pysaml2 4.5.0-7 has caused the Debian Bug report #949322, regarding python-pysaml2: CVE-2020-5390 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949322 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-pysaml2 Version: 4.5.0-5 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 4.5.0-4 Hi, The following vulnerability was published for python-pysaml2. CVE-2020-5390[0]: | PySAML2 before 5.0.0 does not check that the signature in a SAML | document is enveloped and thus signature wrapping is effective, i.e., | it is affected by XML Signature Wrapping (XSW). The signature | information and the node/object that is signed can be in different | places and thus the signature verification will succeed, but the wrong | data will be used. This specifically affects the verification of | assertion that have been signed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5390 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5390 [1] https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-pysaml2 Source-Version: 4.5.0-7 We believe that the bug you reported is fixed in the latest version of python-pysaml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 949...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated python-pysaml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 07 Feb 2020 09:12:46 +0100 Source: python-pysaml2 Architecture: source Version: 4.5.0-7 Distribution: unstable Urgency: high Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 949227 949322 Changes: python-pysaml2 (4.5.0-7) unstable; urgency=high . [ Ondřej Nový ] * Run wrap-and-sort -bastk. * Use 'python3 -m sphinx' instead of sphinx-build for building docs. . [ Thomas Goirand ] * CVE-2020-5390: does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). Applied upstream patch: Fix XML Signature Wrapping (XSW) vulnerabilities (Closes: #949322). * Remove a test file that will fail past 2020-11-28 (Closes: #949227). Checksums-Sha1: 37540f30f18bbe0ffe21d6be9f9b5c8e75b33b36 2519 python-pysaml2_4.5.0-7.dsc 1de54c080086eaa970ad07e91b2840d4c3bef33b 15004 python-pysaml2_4.5.0-7.debian.tar.xz 108c5a3309be12bd0ced0d37c3dc62293fb71e4e 8671 python-pysaml2_4.5.0-7_amd64.buildinfo Checksums-Sha256: 35a6d4b939a06a45f4a74d896ef2497b0e8e57e196884a79efe097907c3213b8 2519 python-pysaml2_4.5.0-7.dsc b3551f8c5bcfd2d4600cf4edda06e0c48d09a8fcf4ff47b0b72b060bda1b9f8a 15004 python-pysaml2_4.5.0-7.debian.tar.xz 4f8871744da45038eb5bae4dd39781fc55785165dae15d1e3be6b0db39ccfa48 8671 python-pysaml2_4.5.0-7_amd64.buildinfo Files: bf519d2d7ec2d9674240538af9503ce3 2519 python optional python-pysaml2_4.5.0-7.dsc a159ce99f129fa818cbfd582f4fd0879 15004 python optional python-pysaml2_4.5.0-7.debian.tar.xz 7456418e96b9ef3f19f85a67b8fa6483 8671 python optional python-pysaml2_4.5.0-7_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAl49HvsACgkQ1BatFaxr Q/52rRAAn0u/X7xbBHInRlrI3VBdoMmNJTRLeDzTVIhX138shVS9KvxKqSo/NBbR WKJOJdw0gGj0ffTQKd1hCEOZ0BzaZDMEy+Q9WsZTialuR5BNcxETF8cWhX069QU+ ywAtl3yaQH+mdNr7Q2uYaeSTuF0FOXVxDv4lmhrDybxm3mspRpklZgCZXqCVwIhY QJMiuF86y3HE66wQmctSWyP+Hj/BmVwHDjiB2P7Qh3gV9SJWhLWi/IB4hq3yEvuX F4iWvDPbFd3eI9mlICHzLiOd5Yf6uQ8i/B7Jf1l+G5EsDXbeuIP1oCC46DuOUIJe 91mSpUmJvXpX4V7Hmy4Qkmj/cHlaA5WHe/RgT4TsrS6PFwu7PFT+8/ANqHn8L+wz zmx0hQrDH3/1nC5Z/gkJhPzS8svyyAAB5pHAx01V/OJmWae6MDl1lyQCP6W+HK3f Je47OBNui3hVvNH5KwvrNo62bBIbH517/fyIDCMjXu5L+2u1yCsw3HMPsQJUji00 rqMfbgcsP+1rNL7uZi3piB4gYEB8acwUoWznAfb3dxKHIdy8FSmqDQXuoCKVvDQw hx2E6FLtTi68ixau6mEGZiaYyukiqaxMIA4dGo/4LtUZxLG32QxiW6KWGhx+UadF 0118n/gFXNi2I846VwpX0rbga5IS8GEFVAMsAMAO6vJymFx67vM= =grLH -----END PGP SIGNATURE-----
--- End Message ---
