-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: arm64
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: arm Build Daemon (arm-conova-03) <buildd_arm64-arm-conova-03@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
34709b3c842b03e640dd9ba0cf968a706eb67f99 42680 libsaml-dev_3.2.1-3+deb12u1_arm64.deb
60a7c051b6a3ef95c15ae35e7ba18b391e64256d 9954052 libsaml12-dbgsym_3.2.1-3+deb12u1_arm64.deb
fcf92c20ad25a7ade6abfa5fca4283f182350018 873112 libsaml12_3.2.1-3+deb12u1_arm64.deb
8bee43d01207c605642bd0e653e95c3862c15126 221208 opensaml-tools-dbgsym_3.2.1-3+deb12u1_arm64.deb
1c2d81828d7d1e6fcc58fbd3d2278d46a864b2f2 23676 opensaml-tools_3.2.1-3+deb12u1_arm64.deb
b97ce448e3adfeea6444f21b2fc10746003241a4 8635 opensaml_3.2.1-3+deb12u1_arm64-buildd.buildinfo
Checksums-Sha256:
cf323b5d2b7d30771b3a49119f4c403484eb13542617476141411344d9a25720 42680 libsaml-dev_3.2.1-3+deb12u1_arm64.deb
c786500f00239b985e3d267766652330ec6f3c3e5567997ab321f57124540795 9954052 libsaml12-dbgsym_3.2.1-3+deb12u1_arm64.deb
71530075b70eba9850982d2f8158c08ceaf092bd2f8eec139f529435f7c0988f 873112 libsaml12_3.2.1-3+deb12u1_arm64.deb
c6d53321e9da1a9515a586d316b24a1c5d7f40d1e0ea85025e301e62c1cc0a90 221208 opensaml-tools-dbgsym_3.2.1-3+deb12u1_arm64.deb
951efb53f79b36627e099558c34d1e31b7e9185cebb23d6cb7d65a1927b54a5f 23676 opensaml-tools_3.2.1-3+deb12u1_arm64.deb
fa7d473bf9f2368d18d744dcb16e12083322063aaafb066ed814fc13e19b36f2 8635 opensaml_3.2.1-3+deb12u1_arm64-buildd.buildinfo
Files:
cec43d18b9c48471a9a8dee5c32ed233 42680 libdevel optional libsaml-dev_3.2.1-3+deb12u1_arm64.deb
9d253223083f300ca4eaf6447df8405f 9954052 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_arm64.deb
1d1fa7f671d62dbc743407c56ab129bd 873112 libs optional libsaml12_3.2.1-3+deb12u1_arm64.deb
a9ed04f544a1e9810622e7e853b36194 221208 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_arm64.deb
c103f2a16290a281c0d90c99c2c68c13 23676 text optional opensaml-tools_3.2.1-3+deb12u1_arm64.deb
f7408a34a2157945f0d12165b9eb9696 8635 libs optional opensaml_3.2.1-3+deb12u1_arm64-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVM4SKBZumztS8zr3lST9Us03ywsFAmfUsc8ACgkQlST9Us03
yws0uhAAysdoDDwybAKXaVBU48rTng6AvLDjq6c2hFljYPwBdaTQXRScy4HGYp3Y
JT+jrDyOBAIe3P5CzeulLW8H8UHruGbBpEpB9wUl31PXYq/iQSNhDaWXvm1sqoOa
JxAn7pEv4uw/r0o2ucUCtVOhc2jd1ZkAYZqI5H7pyDek+vhPkwjOcKjfbVwKkBjH
atSpdl8inFKG7fpmEaimYiaQOd6+zt7yIZf04M0Nob729ijlak8VoG1f7+zb2UGA
2fhbNT323VICKxEHJg/tHftSUuRC9ss2NAwZ+i40WuDqYi9OIxDbl/j2y0bKTVhF
Tjr66ahIVYsdczTOFJ8yeSRJmbdJLZMY1fP6gELATuIEZc/sYGk35RNM3fDVZ+mb
2RS+PTiWOYdGuP2CxM9XJolHDZwG3DtfD7pLJv5ZVZs4ZNU4jRK2VOf6eODAWvBK
3fYcRVT4aBmgyHxQbvvRQsiP8d4bOZ9Czl5mmYjQ50maP1tF5PAHlr8hoTsWpEaO
RCdDBp3RxxMNZagJCBllw/VMVrqDXq99sbS76+oRdPWrEyAvDBLMXRhl2XoTC1EP
urgRp19oeQHJyZayWYHbKgBbpt7Wg3KtoKp6JHQd+yNH0jyNhS70ZoKHwZgdj6hJ
Hr1XjNczSZNLazGxR6ezLnYhpZt0fh7rzsuHp4J4se4/60610Gg=
=KShG
-----END PGP SIGNATURE-----