Bug#686344: unblock: simplesamlphp/1.9.2.-1

Fri, 31 Aug 2012 04:30:22 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hi,

Please unblock package simplesamlphp. It's a security-update only release
that further tightens the screws on the security issue addressed in 1.9.1,
after further discussion with the scientists who discovered the issue.

The debdiff is very simple.

Please
unblock simplesamlphp/1.9.2.-1


Thanks,
Thijs

diff -Nru simplesamlphp-1.9.1/debian/changelog simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.000000000 +0200
+++ simplesamlphp-1.9.2/debian/changelog	2012-08-29 17:45:36.000000000 +0200
@@ -1,3 +1,11 @@
+simplesamlphp (1.9.2-1) unstable; urgency=medium
+
+  * New upstream security release:
+    Fix possible issue in PKCS 1.5 encryption when a key is
+    correctly decrypted but its length is not the one expected.
+
+ -- Thijs Kinkhorst <th...@debian.org>  Wed, 29 Aug 2012 15:43:31 +0000
+
 simplesamlphp (1.9.1-1) unstable; urgency=medium
 
   * New upstream security release:
diff -Nru simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.000000000 +0200
+++ simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt	2012-08-29 10:19:20.000000000 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.2
+
+Released 2012-08-29
+
+  * Fix related to the security issue addressed in version 1.9.1.
+
 ## Version 1.9.1
 
 Released 2012-08-02.
diff -Nru simplesamlphp-1.9.1/lib/SAML2/Utils.php simplesamlphp-1.9.2/lib/SAML2/Utils.php
--- simplesamlphp-1.9.1/lib/SAML2/Utils.php	2012-08-02 08:25:23.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SAML2/Utils.php	2012-08-29 10:19:12.000000000 +0200
@@ -393,6 +393,10 @@
 
 			try {
 				$key = $encKey->decryptKey($symmetricKeyInfo);
+				if (strlen($key) != $keySize) {
+					throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' .
+										var_export($symmetricKey->type, TRUE));
+				}
 			} catch (Exception $e) {
 				/* We failed to decrypt this key. Log it, and substitute a "random" key. */
 				SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
diff -Nru simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php	2012-08-02 08:28:37.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php	2012-08-29 11:16:57.000000000 +0200
@@ -5,7 +5,7 @@
  *
  * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solb...@uninett.no>
  * @package simpleSAMLphp
- * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
+ * @version $Id: Configuration.php 3152 2012-08-29 09:16:57Z jaim...@gmail.com $
  */
 class SimpleSAML_Configuration {
 
@@ -295,7 +295,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.9.1';
+		return '1.9.2';
 	}

Reply via email to