-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Architecture: source
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 1100464
Changes:
 opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
 .
   * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
     detect parameter smuggling.
     Security fix cherry-picked from v3.3.1 (upstream commit
     22a610b322e2178abd03e97cdbc8fb50b45efaee).
     Parameter manipulation allows the forging of signed SAML messages
     =================================================================
     A number of vulnerabilities in the OpenSAML library used by the
     Shibboleth Service Provider allowed for creative manipulation of
     parameters combined with reuse of the contents of older requests
     to fool the library's signature verification of non-XML based
     signed messages.
     Most uses of that feature involve very low or low impact use cases
     without critical security implications; however, there are two
     scenarios that are much more critical, one affecting the SP and
     one affecting some implementers who have implemented their own
     code on top of our OpenSAML library and done so improperly.
     The SP's support for the HTTP-POST-SimpleSign SAML binding for
     Single Sign-On responses is its critical vulnerability, and
     it is enabled by default (regardless of what one's published
     SAML metadata may advertise).
     The other critical case involves a mistake that does *not*
     impact the Shibboleth SP, allowing SSO to occur over the
     HTTP-Redirect binding contrary to the plain language of the
     SAML Browser SSO profile. The SP does not support this, but
     other implementers may have done so.
     Contrary to the initial publication of this advisory, there is no
     workaround within the SP configuration other than to remove the
     "SimpleSigning" security policy rule from the security-policy.xml
     file entirely.
     That will also prevent support of legitimate signed requests or
     responses via the HTTP-Redirect binding, which is generally used
     only for logout messages within the SP itself. Removing support
     for that binding in favor of HTTP-POST in any published metadata
     is an option of course.
     Full advisory:
     https://shibboleth.net/community/advisories/secadv_20250313.txt
     Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
 22cd592016a1f2668925c004fd5873ebb365769a 2769 opensaml_3.2.1-3+deb12u1.dsc
 046bd41c342174050be8ee370ba681c6a45c76d8 600699 opensaml_3.2.1.orig.tar.bz2
 8b962fb6269e4c524f8681226ed52ffa807d6a42 833 opensaml_3.2.1.orig.tar.bz2.asc
 4b56709c4c0b64b633837f26a980b8ee245bbebc 20452 opensaml_3.2.1-3+deb12u1.debian.tar.xz
 5b36473a702919f4123b17fb236f20cc233bb082 11770 opensaml_3.2.1-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
 e6108b5348f40a95cc2f972325de5c8eb38b358e702dd05e35b04eb18361df11 2769 opensaml_3.2.1-3+deb12u1.dsc
 b402a89a130adcb76869054b256429c1845339fe5c5226ee888686b6a026a337 600699 opensaml_3.2.1.orig.tar.bz2
 406847d5adee9400ddc4646580cafd9bd727a8eecb955fb0987a05ec0f2159e0 833 opensaml_3.2.1.orig.tar.bz2.asc
 7c5c1470b5d9dab3fcabca1d7683525dbeee8f566977d7aaddf7040f24db0fd0 20452 opensaml_3.2.1-3+deb12u1.debian.tar.xz
 641e7f422c7f3bfc41ee4b01f47c4d7c87ec6e2c82868c769df699d1fd5747b2 11770 opensaml_3.2.1-3+deb12u1_amd64.buildinfo
Files:
 a025e9c730fa564cc162dc9fb1abed4e 2769 libs optional opensaml_3.2.1-3+deb12u1.dsc
 a4c08783eb5078be3bbe2ca6b6c7b806 600699 libs optional opensaml_3.2.1.orig.tar.bz2
 4d2a57e6af9cb2d36702352e1fd8b806 833 libs optional opensaml_3.2.1.orig.tar.bz2.asc
 464f94347af15f78b0e7ad5092b0db18 20452 libs optional opensaml_3.2.1-3+deb12u1.debian.tar.xz
 066fd348e10cd1c34b27323a62fc5277 11770 libs optional opensaml_3.2.1-3+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmfUl54ACgkQOsj3Fkd+
2yMwIxAAl3Qq18XRVULWG1oaM3CBqYt0DpZUfVWp81Fwbpwc33M+SGhXm8NQgau8
A6myAinVKNnJ0uoKQxu8JeU7uG7/neRHwFotX/cYq285VceMn0yI7xQiOU7wc/2N
oKAvIb9UvgIYbb1hzmNcnhWln8mlyIhTDRSfU3CF2ZB/9W+DSvOhbAPUocws1VR+
5wSESfE6BeBgJEahX9IA2TcOZPgia8qo9pcSkK8ZG+46Ky7kYPo3zsM7mSJTU2O0
bMtSAoZcTpCoqYgC5FHP/SobJrLjs68wINXrD3vjbLfXC81ehjybUDMUAGnd/ayP
ImES2YzTwELpMWnd+TIRIKP03cvt4waG8EMlsNE8PmcbWftjaNR+5x8JnSdJM3Va
gzz6NkgR8I8HpKelyInBVxL8jY+Yt5pHYa/457AXV6ycwW6gvVgCkh9Jit5p+cPD
NgPcugvvLCEq6w2s4789Gadzi3NgDqOpzz0w0E9Y84KK/Mun7806YGyhB/2gznu+
8w5hMDcLjwIlyzpWhCIHdXiHtiikZ7h6PgoEV+q4fMgPxeFpJ9W5EC+S4imVgzPa
7ifkVxoV3mZhI2V9kYjGW75Wy3E7tz56/i6b9QjPgl/XJg6/bbyI148gFPdiK0Sj
OxhceeIRyhnHPx4gnH8m5Qsicpb5iUNpIX6YhqJ83zd6Ix03PcI=
=nInB
-----END PGP SIGNATURE-----