On Fri, Feb 07, 2020 at 09:59:58AM +0100, Thomas Goirand wrote:
> On 1/19/20 9:05 PM, Salvatore Bonaccorso wrote:
> > Source: python-pysaml2
> > Version: 4.5.0-5
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Control: found -1 4.5.0-4
> >
> > Hi,
> >
> > The following vulnerability was published for python-pysaml2.
> >
> > CVE-2020-5390[0]:
> > | PySAML2 before 5.0.0 does not check that the signature in a SAML
> > | document is enveloped and thus signature wrapping is effective, i.e.,
> > | it is affected by XML Signature Wrapping (XSW). The signature
> > | information and the node/object that is signed can be in different
> > | places and thus the signature verification will succeed, but the wrong
> > | data will be used. This specifically affects the verification of
> > | assertion that have been signed.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2020-5390
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5390
> > [1]
> > https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
> >
> > Please adjust the affected versions in the BTS as needed.
> >
> > Regards,
> > Salvatore
> >
>
> Hi Salvatore,
>
> Please find attached the debdiff for fixing this CVE. I've already
> uploaded the fix to Sid. Please let me know if it's ok to upload to
> buster-security. BTW, are source-only uploads fine for security-master?
Ack. Let's fix this via security.debian.org, the debdiff looks fine.
source-uploads
are fine, but please consider #869184 (and note that python-pysaml2 is new
in buster-security, so it needs a -sa upload as ftp.debian.org and
security.debian.org
don't share tarballs.
stretch-security seems also affected, I'll prepare an update for it.
Cheers,
Moritz
