-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: amd64
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) <buildd_amd64-x86-ubc-02@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
4f8eff6af690f607fdee86967bb088b4628dfee2 42688 libsaml-dev_3.2.1-3+deb12u1_amd64.deb
9cbddb021bbe18fcbd5a7dcc22dc65166b539b73 10155456 libsaml12-dbgsym_3.2.1-3+deb12u1_amd64.deb
0862f750be0c8429ba3f94d17c9d1d5ed1483ed6 947540 libsaml12_3.2.1-3+deb12u1_amd64.deb
75d6d69ffa28234c26328dacf291be25111183b8 222900 opensaml-tools-dbgsym_3.2.1-3+deb12u1_amd64.deb
d61f50e4235ed2da4afdc359b5ad6af465491567 25464 opensaml-tools_3.2.1-3+deb12u1_amd64.deb
72868d9c95f7091c9c48d5ab65005a395bf939d8 8639 opensaml_3.2.1-3+deb12u1_amd64-buildd.buildinfo
Checksums-Sha256:
884614e6b40e42d30162fa7d385af7d29f85b1dda21b22a07815dfe5ce44845d 42688 libsaml-dev_3.2.1-3+deb12u1_amd64.deb
889f3ddc05a143ee1c70ef67c3dade3466c3790048b0120a8410d954d4d0b3bd 10155456 libsaml12-dbgsym_3.2.1-3+deb12u1_amd64.deb
9cad49f95f7f8401d2106168fc2d7801cd6e4c436c530acb7b1af2b6c2ee76b3 947540 libsaml12_3.2.1-3+deb12u1_amd64.deb
1a60ee12fa8144c762701bf4b9c1e82116b885bfa68945142648ce74bc000691 222900 opensaml-tools-dbgsym_3.2.1-3+deb12u1_amd64.deb
50153bd6aa0bf5af3db913f6c34dcd14a3840863983f85b4f1beeb4dad72c658 25464 opensaml-tools_3.2.1-3+deb12u1_amd64.deb
9384006543421bfb260fd00e480a621c4c654b25fe1f63a2fbde9a4e96651c2a 8639 opensaml_3.2.1-3+deb12u1_amd64-buildd.buildinfo
Files:
f2ce93ab9085e5761773f01174937f98 42688 libdevel optional libsaml-dev_3.2.1-3+deb12u1_amd64.deb
a313b5c5a519dc2fa1363f001a953863 10155456 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_amd64.deb
ef93a6db2da6f1bcf46ae9f7748dc8ef 947540 libs optional libsaml12_3.2.1-3+deb12u1_amd64.deb
1548a2e4ea251bd3febfd466bb16076a 222900 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_amd64.deb
5a1644b43b61debb3a572aca50a7c357 25464 text optional opensaml-tools_3.2.1-3+deb12u1_amd64.deb
7dee97b1949095ba5b4ec22973b09991 8639 libs optional opensaml_3.2.1-3+deb12u1_amd64-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEGBeuno8wiDXCewDuqqLQG5ksqMMFAmfUsMoACgkQqqLQG5ks
qMMtERAAsQlb68Nrun+xGEXwrpwLnz889/wcHJT5zeSDYCS1IMXLQ2MkxwJm06Vc
veXsF8a/e+sKQXR10byPpDKAk94xSsmsxE/MwQLuoQWq4sM4J3EYMK/HUFqSWRhD
pXq2TBD+NEz5/odt7EM/fZ4peUjIDBqmsiRniEF9dS91iYTppEaXcYqwzwKJYsDX
j+heU0xBbUUZ6VvjRkNtIzOk/AKP4HGJ34DKtcXhI0S+R1ghTlUTtj6nOcA4mgey
YwvRaEeAggxdn+UHuZIMw0TxQeI6HVxLuzyvq2KqyD63IaovHpUkZu6NzDCvBZxF
2bzbHHGEapd1Yb8+k6/GS3UYU170cBwWxp9RPT+OmQiyPtpLH3jFgSPUpNaAV8PD
GPMqxLygkNnQq+d98RXqPqB2sEP2O9C3m/jntsjKCLnlLvHgcheSpk0kP87jPzCF
YS/6S507Rvw6+K0YGwU7tt6ppc8N0wSZPNiN8n+CzSvk9wpvO73VvulNwyVN/hdH
0AbyFjhInI3eYWVm4oWdccrXZ/4NRQQHV67spkeq+BcL49iWE6XANuXqZPcvAxav
sC6JA8DU8tKne5Oc55ia6kedl2r9mKUs5kAQx3NTvivmcQ4iRCvUrK163ZIK06AL
lUN7loL60Axby4zYnwlZa1+sxnktwh9OLcuAeKbCaJwB5fCdkyk=
=w1mg
-----END PGP SIGNATURE-----