Package: opensaml Version: 3.3.0-2 Severity: grave Tags: security X-Debbugs-Cc: t...@security.debian.org
As per https://shibboleth.net/community/advisories/secadv_20250313.txt Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. [...] The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). There's also a workaround in the advisory for the most critical part (disable the POST-SimpleSign binding in protocols.xml .) RedHat has already a fix available. Not sure if this was coordinated distro-wide but filing a bug just in case (and copying the security team.) I assume stable releases are affected but haven't verified that. I'm not aware of a CVE id for this. -- Niko Tyni nt...@debian.org
