-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: armel
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: arm Build Daemon (arm-conova-02) <buildd_arm64-arm-conova-02@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
94850223ec22ce08d410268d9efbe38955b943ba 42680 libsaml-dev_3.2.1-3+deb12u1_armel.deb
7931fc93bc46b2e47ba181d063fe4b5e8b95569e 10317624 libsaml12-dbgsym_3.2.1-3+deb12u1_armel.deb
e5ffce450275e65b52f74a34a788a99b6cbab236 769256 libsaml12_3.2.1-3+deb12u1_armel.deb
5890feff7c3263e5518651eb8f172ee6ff66a58a 222816 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armel.deb
9f431727066b34aea810f5b5e1a953a15a6ccb35 22384 opensaml-tools_3.2.1-3+deb12u1_armel.deb
cb2df6790ff530543f916de6c84c92ced499058f 8512 opensaml_3.2.1-3+deb12u1_armel-buildd.buildinfo
Checksums-Sha256:
232d174590ad8f17f46252179ddc08fb4878ed835d4ac6572d9e8c9f51eb0812 42680 libsaml-dev_3.2.1-3+deb12u1_armel.deb
d79b103d5c5d9aad208dc0ca060caca36428c44d339aee9f79f94caad976cc74 10317624 libsaml12-dbgsym_3.2.1-3+deb12u1_armel.deb
fd3f3b887cad0c11a51a6a1fef20aadcc79e0f6eff3f3c291a0232d5ef5c249c 769256 libsaml12_3.2.1-3+deb12u1_armel.deb
0e74c2b31e80225b9351fa97b083cc35dd499a0bb4cae233089346d7f322d685 222816 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armel.deb
4a2c5c7d85931f825aca106825016b5adddeb2ba638a3835a9e6d72eb7bbb74c 22384 opensaml-tools_3.2.1-3+deb12u1_armel.deb
ffb7c55b89194ded04276a88af60e8463eadcb0fab2c8ebb15dfd0b1d2ed0089 8512 opensaml_3.2.1-3+deb12u1_armel-buildd.buildinfo
Files:
097eca6402a593a6447428deea15f3b2 42680 libdevel optional libsaml-dev_3.2.1-3+deb12u1_armel.deb
34dfd0ee54048ab9dad9ed7e56830f98 10317624 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_armel.deb
86e89ea466a766b5b65656748fa4a6d5 769256 libs optional libsaml12_3.2.1-3+deb12u1_armel.deb
15489228ac86f5661cb9ad6368cb0dec 222816 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_armel.deb
a85417b7b7162b853f65b188d01ce3ba 22384 text optional opensaml-tools_3.2.1-3+deb12u1_armel.deb
eb8e3fde5b878a735784f9bb1beb3a31 8512 libs optional opensaml_3.2.1-3+deb12u1_armel-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKAzExpjGvTI78ZO8LARVyvnD3xkFAmfUsV0ACgkQLARVyvnD
3xm1ghAA0eGA02AH1GYhtWPohMzWap07H7Ji+Ix7pl1jhqc3qJSFsaMR3uQnmg0r
tO0/0nx+LhNEYdcH9GZGaqMsrIjd3dYNTLclvTBGNvGd4kLSTc7Mit7vERpkOpft
nlSKTLALPfF8LPVCtYuTxUM+it8VGyDVmmMF+NpcAGzKuS/jwOpBxRboh3nQL1JN
vOOumyyDxh9n7P6w5Y4nVjD1i9I5CIVW3784jZZ2Xw56PLtQ23NXfo13dnHMEg+k
c4rptpOIAHecWt+HfTW1EaVJvWG11ykd4xuSXZNnRF+iNhNK+lvughDGa3Lfv+lP
bdkmHicONYmVJ8dLIaO3VASvU0McBErqj2Dff3UOBp15d2ME3ZkQWn98iozGlE5O
Bmclugld85mlf2A4xPxmsG0sCEIl2dLV5kgxZpOzIXOmR/8P5SdJXBCdmQc0lNww
8UE99Pp3NfCzhSJ8xZRW4ES6HjW2Wc/BYv8HXO6kp5M771GsS43gv84Am54WgOSq
F+/pgHyy1uRtqoA3xK5KyBGx2P6HnOJofQwpvpK8kDN6HyzJfrFZQsJ5R/2JKz7E
oyGY6/24onNcPTWa9nwKCUt3PoQIBp+xwJ45BbrhIX+gwuLhn8WVuSKJNOzsmI+8
hsVlB08GYkUKoNer0anLSd4cdgYKP7gntMrylsVsv5KalGjoRGM=
=jLO+
-----END PGP SIGNATURE-----