Bug#1100464: marked as done (opensaml: Parameter manipulation allows the forging of signed SAML messages)

Sun, 16 Mar 2025 15:23:42 -0700 

Your message dated Sun, 16 Mar 2025 21:34:03 +0100
with message-id <z9c1u5owyb4bm...@eldamar.lan>
and subject line Re: Accepted opensaml 3.3.1-1 (source) into unstable
has caused the Debian Bug report #1100464,
regarding opensaml: Parameter manipulation allows the forging of signed SAML 
messages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1100464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100464
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: opensaml
Version: 3.3.0-2
Severity: grave
Tags: security
X-Debbugs-Cc: t...@security.debian.org

As per https://shibboleth.net/community/advisories/secadv_20250313.txt

  Parameter manipulation allows the forging of signed SAML messages
  =================================================================

  A number of vulnerabilities in the OpenSAML library used by the
  Shibboleth Service Provider allowed for creative manipulation of
  parameters combined with reuse of the contents of older requests
  to fool the library's signature verification of non-XML based
  signed messages.

  [...]

  The SP's support for the HTTP-POST-SimpleSign SAML binding for
  Single Sign-On responses is its critical vulnerability, and
  it is enabled by default (regardless of what one's published
  SAML metadata may advertise).

There's also a workaround in the advisory for the most critical
part (disable the POST-SimpleSign binding in protocols.xml .)

RedHat has already a fix available. Not sure if this was coordinated
distro-wide but filing a bug just in case (and copying the security team.)

I assume stable releases are affected but haven't verified that.

I'm not aware of a CVE id for this.
-- 
Niko Tyni   nt...@debian.org

--- End Message ---
--- Begin Message --- 
Source: opensaml
Source-Version: 3.3.1-1

On Sun, Mar 16, 2025 at 03:51:53PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 16 Mar 2025 14:41:33 +0100
> Source: opensaml
> Architecture: source
> Version: 3.3.1-1
> Distribution: unstable
> Urgency: high
> Maintainer: Debian Shib Team <pkg-shibboleth-de...@alioth-lists.debian.net>
> Changed-By: Ferenc Wágner <wf...@debian.org>
> Changes:
>  opensaml (3.3.1-1) unstable; urgency=high
>  .
>    * High urgency for the security fix
>    * [832b30a] New upstream release: 3.3.1
> Checksums-Sha1:
>  e7aa0659ee7d9f20c9a5a6b93852f681259b7383 2698 opensaml_3.3.1-1.dsc
>  46014c934c58278b63ceda52fcb6f4627f08696d 615161 opensaml_3.3.1.orig.tar.bz2
>  64cfb93e211055da181d5793ccb140b1d4145676 833 opensaml_3.3.1.orig.tar.bz2.asc
>  4bed21418461533504c4eabe9181cef29f7d9b31 19072 opensaml_3.3.1-1.debian.tar.xz
>  1aada3ca942f76860d2b2fdad1631829727dbc44 12368 
> opensaml_3.3.1-1_amd64.buildinfo
> Checksums-Sha256:
>  a1f3bec8f31d49601db25105c53c43633701e8e54d8a33c615ea046438be242a 2698 
> opensaml_3.3.1-1.dsc
>  d8e24e070fc6bb80682632ca32c8569a9f3ef170ba57e3b82818322e75b6a37e 615161 
> opensaml_3.3.1.orig.tar.bz2
>  5f5296e320bc3e6e5d1349bb7bbb2c0533bcf7b964ac84f4d21d025538a534b9 833 
> opensaml_3.3.1.orig.tar.bz2.asc
>  f90ce40b2bca2cf41882d4b89cb138bc130fa4ff7152b3d3595c2454f4650757 19072 
> opensaml_3.3.1-1.debian.tar.xz
>  d5fe3c233e6514ca292b4e7ac279cc62200767b8355c4892c2b88e82c60a2dac 12368 
> opensaml_3.3.1-1_amd64.buildinfo
> Files:
>  0cef121c73e3eec58ff7aa0b79e1ffa7 2698 libs optional opensaml_3.3.1-1.dsc
>  35892b87b7deeeba68e06a4bba402b4e 615161 libs optional 
> opensaml_3.3.1.orig.tar.bz2
>  51775f9c7fe2d2bed9054194be5ec37c 833 libs optional 
> opensaml_3.3.1.orig.tar.bz2.asc
>  4b0ae0044f2f3881f1e190d5f02124e6 19072 libs optional 
> opensaml_3.3.1-1.debian.tar.xz
>  f13df5506b8a1577150f873acc0afd99 12368 libs optional 
> opensaml_3.3.1-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmfW18kACgkQOsj3Fkd+
> 2yNRzA/8Dk4SdXHqkDGyJnVnXZBuVTRP2MwHVgyHazqa4uqoECNHRHBBDjzo8L93
> 5gnZCXIrJhdYi68SWw9gOZiQeYfnBKEB7B4ZQeaaMSTXF0+RLDzneBlRksip0Ox+
> N2xY4h9pdTQx5wjmh26ImJpMyQUsUw2UhNtC2lo0+JBvJbaN3/rOuLP/cncSlzjE
> LLwvLdSygSLt9F0wNABhIP+YGfH4ZOD4iU7NcWMJ7KBkgKU5hXx0PRofqdNnwKYG
> VtCPw8oh1td5hP+6bf2QTWynkGeCiUpBId7Be9uJwmPaC/Cvlg8cdv8UX0i0ihxn
> aTvTChWj9g0kNvXoFpa3szIj9DgeTKjhscO6NW7qGI8My0AYd63ce6hXOwkFD1Bw
> 7dpsr7KL+BaWPUKQtg0HRrbRJR0Gzc2bK92nxgny0aRhgVG2ry/eE+UCATnE63zx
> 75Qyxqh0VI7+zDt2x29joZStBxh/EkqMmAvdqG1MxUBEK0KRDTxG4pjWJl1blUqP
> ihQLTXAIw0I/G9iR1St65pY+Lei846T75a3CCI2WnHdula1q6NOs+XdPToyCcQYJ
> 1MoCSUll+wX/Iz9bFjduevttN2Nag/R1LIp3rG9BgoU/wmuT8D5WOMFmDyWJlH0/
> b4untIv7lVqb05buzvWU0LCPlz5LpCqJa5dssZ1ejiWPH0MRKg4=
> =ENHm
> -----END PGP SIGNATURE-----
>

--- End Message ---

Reply via email to