-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: mipsel
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: mipsel Build Daemon (mipsel-osuosl-03) <buildd_mips64el-mipsel-osuosl-03@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
783a35248537f7afa1cda693897a1c0aa5f30c09 42672 libsaml-dev_3.2.1-3+deb12u1_mipsel.deb
fa261f04c671e938c7c44385709d67ef80f6521d 10003128 libsaml12-dbgsym_3.2.1-3+deb12u1_mipsel.deb
87dd815d012c84c541c494d4db1d89475746d44c 790720 libsaml12_3.2.1-3+deb12u1_mipsel.deb
dfe9008de72d96cb0e052cb76ac30c83f7389be7 219788 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mipsel.deb
0d5384233747ea933e494af67fe72dbb8167cf8b 23992 opensaml-tools_3.2.1-3+deb12u1_mipsel.deb
5045e77fab8623d0e20b2e404ce02270e7666741 8477 opensaml_3.2.1-3+deb12u1_mipsel-buildd.buildinfo
Checksums-Sha256:
e73165cf318b895f42d47166bb1541c1ecbd46097849e3c3cacc04b8b526605c 42672 libsaml-dev_3.2.1-3+deb12u1_mipsel.deb
5aba85defa01c208532e09da9a67b3f82ee5cd093f88385d50bcd8b5903dddb5 10003128 libsaml12-dbgsym_3.2.1-3+deb12u1_mipsel.deb
b13e5809cdb7ec7ede37fa4d74a7313c941e14974a69a9fdc42e8bad3744b26b 790720 libsaml12_3.2.1-3+deb12u1_mipsel.deb
433c85f10108f89d938c3792d9828422bbac014336dcbd6338a8664b47e8472b 219788 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mipsel.deb
689abe293707703f66b5015b158b81fd6919e7673100186878d2cd940b483c50 23992 opensaml-tools_3.2.1-3+deb12u1_mipsel.deb
3309486f15399de6d53167c542ecb6ad6f360154274dd1a65d941d694620db8c 8477 opensaml_3.2.1-3+deb12u1_mipsel-buildd.buildinfo
Files:
81e9d399ad63c9615de0f121b8878174 42672 libdevel optional libsaml-dev_3.2.1-3+deb12u1_mipsel.deb
ab3933cd99ae6a8471776730410bdaa7 10003128 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_mipsel.deb
b80fcd03c5ce0c48a072ad1c5eb78432 790720 libs optional libsaml12_3.2.1-3+deb12u1_mipsel.deb
60cb2afb3cc2e3504b2eeb2a86566315 219788 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_mipsel.deb
56ec5276f22fb54aeed839e051c3e946 23992 text optional opensaml-tools_3.2.1-3+deb12u1_mipsel.deb
bd33889eda016a175000161fd039f135 8477 libs optional opensaml_3.2.1-3+deb12u1_mipsel-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEesE3YcWKZXIkRPMemf85J+x5/aoFAmfUvqkACgkQmf85J+x5
/aqdyQ//XJiRYCmCnC78Cp5IQ1d88+gfvW7+rt3yvWD6GOPZit5UvzhrnUGg6Ad6
iXYkd5pAHP1iKKGRmqRXs8plXzbEz/3NgxZhWAAIbskDYqi6gFDVsSL+EkfJd+/u
kjrTERNVMz2mPewc554X3+tHXu4Wn6ZeZzkLpFZQA+kvhdUGpCPojx/7aX02LhOm
VwVYvWFIZ0GFg1F0RMQt0xgc2Z7RpWrAE0pQrdz3LoVvdaLs8u/T0t9l1jSzgRrV
Suj4DJ+F9Kkqfwl/6FhETxPh8zhg9fubOKNBdQQXg0a0IctFj5tn89fUFjPlBa7j
Ohpq8BVqJFXEPg2S+eXFThU14wVJJMT3omwNs7YGn5iea9fbeQzDRRGS+qrWVrd7
b7bpDXoOnqaRGx6lmqavmMy4srChukQbzX1WMLAfR+gmgyCEwti5IpZTxjReoH+C
Qca9h/41f6hgeQuNhKc3FXS5fMED5hKCac80tQ27CVMp0LEaaCNLSIgn28QOXSEE
qaVSCiRVsqvvhDlKkOM3mont/DXREl+bD0weOF3n1/VdMTPstfhLFFCf0QAHhv7C
gU7TJpQvFbDpmCdhIzP/4Q1vNbC9XTHhkcJ0dsBD1rOliRP79iajRHCy08OSqIQt
my+5rzWm8ONsuwlR1LC0H1V24lxQUfYqUTzXApNCgj+XXoaK73c=
=A2j6
-----END PGP SIGNATURE-----