On Fri, Mar 14, 2025 at 08:34:44AM +0000, Niko Tyni wrote: > Package: opensaml > Version: 3.3.0-2 > Severity: grave > Tags: security > X-Debbugs-Cc: t...@security.debian.org > > As per https://shibboleth.net/community/advisories/secadv_20250313.txt > > Parameter manipulation allows the forging of signed SAML messages > =================================================================
> RedHat has already a fix available. Not sure if this was coordinated > distro-wide but filing a bug just in case (and copying the security team.) Apologies, this was second hand information and probably incorrect. I think this referred to the 3.3.1 RPM package provided by shibboleth.net. FWIW I think the relevant upstream commit is https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee but I haven't tested this in any way. -- Niko Tyni nt...@debian.org
