Bug#1081560: marked as done (ruby-saml: CVE-2024-45409)

[Debian Bug Tracking System]

Your message dated Thu, 7 Nov 2024 13:56:40 +0530
with message-id <zyx5wms3u1z91...@debian.org>
and subject line Bug#1081560: fixed in ruby-saml 1.17.0-1 unstable
has caused the Debian Bug report #1081560,
regarding ruby-saml: CVE-2024-45409
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1081560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ruby-saml
Version: 1.15.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.13.0-1

Hi,

The following vulnerability was published for ruby-saml.

CVE-2024-45409[0]:
| The Ruby SAML library is for implementing the client side of a SAML
| authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not
| properly verify the signature of the SAML Response. An
| unauthenticated attacker with access to any signed saml document (by
| the IdP) can thus forge a SAML Response/Assertion with arbitrary
| contents. This would allow the attacker to log in as arbitrary user
| within the vulnerable system. This vulnerability is fixed in 1.17.0
| and 1.12.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-45409
    https://www.cve.org/CVERecord?id=CVE-2024-45409
[1] 
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
[2] 
https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae
[3] 
https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: ruby-saml
Source-Version: 1.17.0-1
Done: Pirate Praveen <prav...@debian.org>

A new version of ruby-saml (1.17.0-1) uploaded on 11 Oct 2024
to unstable contain fix for CVE-2024-45409.

--abhijith

--- End Message ---