-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: s390x
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: s390x Build Daemon (zandonai) <buildd_s390x-zandonai@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
b12bface9d33768e9959c880b06b0068ff7f0b5a 42672 libsaml-dev_3.2.1-3+deb12u1_s390x.deb
b59ccee6a1a970709bbda0326a236df924a5e7b5 10094300 libsaml12-dbgsym_3.2.1-3+deb12u1_s390x.deb
e3e0b4bf4543c0d90ecdf2b11bd989ca7e9f77da 853580 libsaml12_3.2.1-3+deb12u1_s390x.deb
bb075a67013a862508c5e609314b601b6bfc395c 219936 opensaml-tools-dbgsym_3.2.1-3+deb12u1_s390x.deb
588d92ca8b612697ef99d47fff7b2c44a7464bae 24004 opensaml-tools_3.2.1-3+deb12u1_s390x.deb
b63aa23105bf2b90e8a8e2023ff3e4eeff6ed1df 8534 opensaml_3.2.1-3+deb12u1_s390x-buildd.buildinfo
Checksums-Sha256:
1bc05839c10b30ec18993f840ab70ce2bcfb63662d4f4e1b617a87b81ffaa9d4 42672 libsaml-dev_3.2.1-3+deb12u1_s390x.deb
258608326c2426d9889279146c6d6bcfb231a08615315dace941451215247f27 10094300 libsaml12-dbgsym_3.2.1-3+deb12u1_s390x.deb
64911586adaf79118bbd47c55eb8a1f75c9ccbd65768d2127d527f8a77335277 853580 libsaml12_3.2.1-3+deb12u1_s390x.deb
993741bed70f1e9a3c8f74532005ad632eb2f63a8a0f08a694c1bbaf6ce694c9 219936 opensaml-tools-dbgsym_3.2.1-3+deb12u1_s390x.deb
1b7ddbb10b03589d99845fe9de7ec10861964611a9df33901cc3562c6c9f48c2 24004 opensaml-tools_3.2.1-3+deb12u1_s390x.deb
01835c421b5037f52ba4275aa2845ee3ce7a813d910dcb8932f282f5414bf17c 8534 opensaml_3.2.1-3+deb12u1_s390x-buildd.buildinfo
Files:
fd01f5652055faace572f81e2e047648 42672 libdevel optional libsaml-dev_3.2.1-3+deb12u1_s390x.deb
7d8cf044a1f1664432d7f4f2b11eee5e 10094300 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_s390x.deb
74f0eb5e168d0b18919c5a525331d4a1 853580 libs optional libsaml12_3.2.1-3+deb12u1_s390x.deb
795420562abf2c54d132d03a14af8ce2 219936 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_s390x.deb
ce5776c33af223fe4d55489b635c40f6 24004 text optional opensaml-tools_3.2.1-3+deb12u1_s390x.deb
e7dd77bf46ca11b3f529aa3b9033209e 8534 libs optional opensaml_3.2.1-3+deb12u1_s390x-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu0D/YpnnSxv8epH9AKOyQzsWVasFAmfUuMAACgkQAKOyQzsW
VatoJg/+M+DrqdZT22f1XalNqWBmxg3IBtDsjkZUS849YTY5F8sKVZ5dn2Gw4nF+
+6tVtZM4+UkrPp6o7nbOP5eJ7otV6rgMH2TI8x0Eh7YWuk1b4hGVr3rNtaWTFHCh
geJ2iBl4cJ2dZyUoWTCdn9A9tjPygzsg2N+KXbkNnV2iZDG8iObNjYwtRo6rtP5a
PEjdl0mguHm3sseSJpMZbv0Gn7UFOl1OAjpnYsZkHivZWT1xrkwvjxaoDx06fWgq
TfY72MeBiRMRn0jyyCpzr2FwOozzwpuNcDbLQgX4U8PUbf+zFMudntzHC1hJvzse
814tx3Z6wmNiluZvUuDzyUu266KV7vJ39Nz9JmIwM4HrN7q6xQQ/V4siHZI72uSM
LDAIUtLFeF2Osp1pGzk5/hTJJ7P2xQg3XGXnQopZpAhzqdbWGocnr9BUWWFIZUTw
37nKXtXJuT34JvoAewGuQWGBoFCwaR5r5GJX1r4my/wCaaM22kO968UaBo9Sql8R
mFv/2D+6zTQRaep0qbyE2HdNep+9EaTGKyQR2Q6X3nL9yXZY9Fsx+j+BjBCj3S+l
RuQGa42z7/Iz7GyGhoE8424JPhmXivTK0e2JtoG1Szn20WebV2gfb9TdkNmLHvaZ
heeYFha89CGPeTpDrsmWSIJYm0K72o4yf+CvrAWC4ypFXtjMxdM=
=4HlZ
-----END PGP SIGNATURE-----