Your message dated Fri, 19 Mar 2021 19:32:09 +0000 with message-id <e1lnkqv-000iuz...@fasolo.debian.org> and subject line Bug#985405: fixed in shibboleth-sp 3.0.4+dfsg1-1+deb10u1 has caused the Debian Bug report #985405, regarding src:shibboleth-sp: Error templates allow query-based override of variables to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985405: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985405 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:shibboleth-sp Version: 3.0.2+dfsg1-1 Severity: important Tags: upstream patch security Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-922 Shibboleth Service Provider Security Advisory [17 March 2021] An updated version of the Service Provider software is available which fixes a phishing vulnerability. Template generation allows external parameters to override placeholders ====================================================================== The SP includes a primitive template engine used to render error pages and various other status or transition pages, and it supports a syntax for embedding placeholders that are replaced by internally supplied values or configuration settings. For reasons that are unclear in the code history, it was extended to allow replacement via query parameters also, though this is not a typical need. Because of this feature, it's possible to cause the SP to display some templates containing values supplied externally by URL manipulation. Though the values are encoded to prevent script injection, the content nevertheless appears to come from the server and so would be interpreted as trustworthy, allowing email addresses, logos, or support URLs to be manipulated by an attacker. All platforms are impacted by this issue. Recommendations =============== Update to V3.2.1 or later of the Service Provider software, which is now available. The update adds a new <Errors> setting to the configuration called externalParameters, which defaults to false. When false, support for this "feature" is disabled. In the unlikely event that a valid need for this exists, the setting can be enabled temporarily to maintain function until the use case requiring it is addressed in some other way. Other Notes =========== The cpp-sp git commit containing the fix for this issue is d1dbebfadc1bdb824fea63843c4c38fa69e54379 URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20210317.txt
--- End Message ---
--- Begin Message ---Source: shibboleth-sp Source-Version: 3.0.4+dfsg1-1+deb10u1 Done: Ferenc Wágner <wf...@debian.org> We believe that the bug you reported is fixed in the latest version of shibboleth-sp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ferenc Wágner <wf...@debian.org> (supplier of updated shibboleth-sp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 17 Mar 2021 21:40:34 CET Source: shibboleth-sp Architecture: source Version: 3.0.4+dfsg1-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-de...@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wf...@debian.org> Closes: 985405 Changes: shibboleth-sp (3.0.4+dfsg1-1+deb10u1) buster-security; urgency=high . * [594074b] New patch: SSPCPP-922 - Add externalParameters option to Errors element. Fix a phishing vulnerability: Template generation allows external parameters to override placeholders The primitive template engine used to render error pages allows replacement via query parameters also, though this is not a typical need. Because of this feature, it's possible to cause the SP to display some templates containing values supplied externally by URL manipulation. Though the values are encoded to prevent script injection, the content nevertheless appears to come from the server and so would be interpreted as trustworthy, allowing email addresses, logos, or support URLs to be manipulated by an attacker. This update adds a new <Errors> setting to the configuration called externalParameters, which defaults to false. When false, support for this "feature" is disabled. https://shibboleth.net/community/advisories/secadv_20210317.txt https://issues.shibboleth.net/jira/browse/SSPCPP-922 Thanks to Scott Cantor (Closes: #985405) Checksums-Sha256: c33ef8a0c0735abe7348e9825588bba01ac62325a6dc4375be21b153b8c0fd88 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc 6790ac56e79c215dd38a065c94905b979185b72294d3fce2cd78ba43995831f4 79324 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz 6f33456c355d811803afba004f90810f54fdd1f2398f3486fe73f8be0ca53b22 13808 shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo b327701d111da4b5da370eddc945c382abc378ff9445e1eda9554c0d7e6f1dca 629664 shibboleth-sp_3.0.4+dfsg1.orig.tar.xz Checksums-Sha1: b772eca334b15268404717420e899765f6d19d38 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc 41ce923aef344361e7df8f2625f31ef3d84cf85f 79324 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz f73d4690f2fad69caaac1beb0a871266b732c309 13808 shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo cf6064d46a963cd5704439d0124bd7333ea8447e 629664 shibboleth-sp_3.0.4+dfsg1.orig.tar.xz Files: b2030bd2eafac8728d6aa75d9bf7eca0 3034 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc 74d4b3c702dd8219f9f81720c7fc5bc1 79324 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz ee57dbfb6777b3d0c9f64eced6efab02 13808 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo 050e90a66472f17e81acd2ab21b677c2 629664 web optional shibboleth-sp_3.0.4+dfsg1.orig.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmBSaYsACgkQOsj3Fkd+ 2yOZyQ/+JOqrW/hSIdV64BRu0wYR7+gwrRM2/a29Dy9zZYKr1AAF6i2IgAmCYic2 7kNOmqKwqjEDpEf50NizKqcMxqqjlwE7M0sBz7pMIw2IR2VWL1HzOQgs1uP0HfLB uU3sP9JUY6HmRMoZyjDsEx1iyLmHRsQ3Lb1+eMb5w/Rx7Fn1tOOlKmBE/0zOqy6A m1drxjGtRoY65bOnjoqTJ1mUWJVLySg7OXMCsop2pCpftGDCSzSMDl7DWErM2OMF CsisB5jx9RB3OsxYr2H7mQNY3LW7CI5MT2CKw92n7Ebv3WqSMltUjiDPj0Qqy4Pp w9qv8mZ8iyEA7SQH13hKVSP0R7Ss7FeZIsRzjOHXocwZpxU+T+wVSNzeuD75oA8M rP8TTDk7fSGTjhxg/rIffH04+RiJ1rDvSC1gncLphjUNzok5tnzs9OBaYH9Hy6sP xQLCC+SCO8xfGBGM5dJgLJqzZ1jmdPFVd96wmzRdFNzdnMsCqSMlz/nexIYCjk1z WafbGbjN+QnpuCRqDD15ySXZSE29KWvbBwnz8ULYf79RQp0AynkOLwub/3MQgXmQ f+/adJACwlApqo+XP/hvuHsWo/VmgfxN7pNNvZTFvvPqwKlPD897phYFFUM48hKw eVP3aDn4mkBfWQM6HlCIi9bwAF7CVnCTkFQEnAL6OtcSKpQJ4ZM= =miVA -----END PGP SIGNATURE-----
--- End Message ---
