Your message dated Wed, 19 Mar 2025 19:47:17 +0000
with message-id <e1tuznl-009ygy...@fasolo.debian.org>
and subject line Bug#1100464: fixed in opensaml 3.2.1-3+deb12u1
has caused the Debian Bug report #1100464,
regarding opensaml: Parameter manipulation allows the forging of signed SAML
messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100464
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: opensaml
Version: 3.3.0-2
Severity: grave
Tags: security
X-Debbugs-Cc: t...@security.debian.org
As per https://shibboleth.net/community/advisories/secadv_20250313.txt
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
[...]
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
There's also a workaround in the advisory for the most critical
part (disable the POST-SimpleSign binding in protocols.xml .)
RedHat has already a fix available. Not sure if this was coordinated
distro-wide but filing a bug just in case (and copying the security team.)
I assume stable releases are affected but haven't verified that.
I'm not aware of a CVE id for this.
--
Niko Tyni nt...@debian.org
--- End Message ---
--- Begin Message ---
Source: opensaml
Source-Version: 3.2.1-3+deb12u1
Done: Ferenc Wágner <wf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
opensaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <wf...@debian.org> (supplier of updated opensaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Architecture: source
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-de...@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wf...@debian.org>
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
22cd592016a1f2668925c004fd5873ebb365769a 2769 opensaml_3.2.1-3+deb12u1.dsc
046bd41c342174050be8ee370ba681c6a45c76d8 600699 opensaml_3.2.1.orig.tar.bz2
8b962fb6269e4c524f8681226ed52ffa807d6a42 833 opensaml_3.2.1.orig.tar.bz2.asc
4b56709c4c0b64b633837f26a980b8ee245bbebc 20452
opensaml_3.2.1-3+deb12u1.debian.tar.xz
5b36473a702919f4123b17fb236f20cc233bb082 11770
opensaml_3.2.1-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
e6108b5348f40a95cc2f972325de5c8eb38b358e702dd05e35b04eb18361df11 2769
opensaml_3.2.1-3+deb12u1.dsc
b402a89a130adcb76869054b256429c1845339fe5c5226ee888686b6a026a337 600699
opensaml_3.2.1.orig.tar.bz2
406847d5adee9400ddc4646580cafd9bd727a8eecb955fb0987a05ec0f2159e0 833
opensaml_3.2.1.orig.tar.bz2.asc
7c5c1470b5d9dab3fcabca1d7683525dbeee8f566977d7aaddf7040f24db0fd0 20452
opensaml_3.2.1-3+deb12u1.debian.tar.xz
641e7f422c7f3bfc41ee4b01f47c4d7c87ec6e2c82868c769df699d1fd5747b2 11770
opensaml_3.2.1-3+deb12u1_amd64.buildinfo
Files:
a025e9c730fa564cc162dc9fb1abed4e 2769 libs optional
opensaml_3.2.1-3+deb12u1.dsc
a4c08783eb5078be3bbe2ca6b6c7b806 600699 libs optional
opensaml_3.2.1.orig.tar.bz2
4d2a57e6af9cb2d36702352e1fd8b806 833 libs optional
opensaml_3.2.1.orig.tar.bz2.asc
464f94347af15f78b0e7ad5092b0db18 20452 libs optional
opensaml_3.2.1-3+deb12u1.debian.tar.xz
066fd348e10cd1c34b27323a62fc5277 11770 libs optional
opensaml_3.2.1-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmfUl54ACgkQOsj3Fkd+
2yMwIxAAl3Qq18XRVULWG1oaM3CBqYt0DpZUfVWp81Fwbpwc33M+SGhXm8NQgau8
A6myAinVKNnJ0uoKQxu8JeU7uG7/neRHwFotX/cYq285VceMn0yI7xQiOU7wc/2N
oKAvIb9UvgIYbb1hzmNcnhWln8mlyIhTDRSfU3CF2ZB/9W+DSvOhbAPUocws1VR+
5wSESfE6BeBgJEahX9IA2TcOZPgia8qo9pcSkK8ZG+46Ky7kYPo3zsM7mSJTU2O0
bMtSAoZcTpCoqYgC5FHP/SobJrLjs68wINXrD3vjbLfXC81ehjybUDMUAGnd/ayP
ImES2YzTwELpMWnd+TIRIKP03cvt4waG8EMlsNE8PmcbWftjaNR+5x8JnSdJM3Va
gzz6NkgR8I8HpKelyInBVxL8jY+Yt5pHYa/457AXV6ycwW6gvVgCkh9Jit5p+cPD
NgPcugvvLCEq6w2s4789Gadzi3NgDqOpzz0w0E9Y84KK/Mun7806YGyhB/2gznu+
8w5hMDcLjwIlyzpWhCIHdXiHtiikZ7h6PgoEV+q4fMgPxeFpJ9W5EC+S4imVgzPa
7ifkVxoV3mZhI2V9kYjGW75Wy3E7tz56/i6b9QjPgl/XJg6/bbyI148gFPdiK0Sj
OxhceeIRyhnHPx4gnH8m5Qsicpb5iUNpIX6YhqJ83zd6Ix03PcI=
=nInB
-----END PGP SIGNATURE-----
pgpPdcwHiCoC5.pgp
Description: PGP signature
--- End Message ---
