-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-doc opensaml-schemas
Architecture: all
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
 libsaml-doc - Security Assertion Markup Language library (API docs)
 opensaml-schemas - Security Assertion Markup Language library (XML schemas)
Closes: 1100464
Changes:
 opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
 .
   * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
     detect parameter smuggling.
     Security fix cherry-picked from v3.3.1 (upstream commit
     22a610b322e2178abd03e97cdbc8fb50b45efaee).
     Parameter manipulation allows the forging of signed SAML messages
     =================================================================
     A number of vulnerabilities in the OpenSAML library used by the
     Shibboleth Service Provider allowed for creative manipulation of
     parameters combined with reuse of the contents of older requests
     to fool the library's signature verification of non-XML based
     signed messages.
     Most uses of that feature involve very low or low impact use cases
     without critical security implications; however, there are two
     scenarios that are much more critical, one affecting the SP and
     one affecting some implementers who have implemented their own
     code on top of our OpenSAML library and done so improperly.
     The SP's support for the HTTP-POST-SimpleSign SAML binding for
     Single Sign-On responses is its critical vulnerability, and
     it is enabled by default (regardless of what one's published
     SAML metadata may advertise).
     The other critical case involves a mistake that does *not*
     impact the Shibboleth SP, allowing SSO to occur over the
     HTTP-Redirect binding contrary to the plain language of the
     SAML Browser SSO profile. The SP does not support this, but
     other implementers may have done so.
     Contrary to the initial publication of this advisory, there is no
     workaround within the SP configuration other than to remove the
     "SimpleSigning" security policy rule from the security-policy.xml
     file entirely.
     That will also prevent support of legitimate signed requests or
     responses via the HTTP-Redirect binding, which is generally used
     only for logout messages within the SP itself. Removing support
     for that binding in favor of HTTP-POST in any published metadata
     is an option of course.
     Full advisory:
     https://shibboleth.net/community/advisories/secadv_20250313.txt
     Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
 97b52d69d643eb34fb76f696e29e193a1c06c22b 1923876 libsaml-doc_3.2.1-3+deb12u1_all.deb
 0d36e7ac907e0935d899312088085b118421f817 24088 opensaml-schemas_3.2.1-3+deb12u1_all.deb
 b3e177c95f445b2887dca08a4caa01d2a7264008 9818 opensaml_3.2.1-3+deb12u1_all-buildd.buildinfo
Checksums-Sha256:
 b4ca933a43a97f1eaa2a84147d6f409f30b9022cb6ca749f331c581e1a2abafd 1923876 libsaml-doc_3.2.1-3+deb12u1_all.deb
 3b3728ac187e5dc0f83637369a68c7395af9472cb0b6628d8aa89a9669fdfa76 24088 opensaml-schemas_3.2.1-3+deb12u1_all.deb
 0db832488526700fcf50c72e37209bf4a07f9e2ab5f69712ec84423efafa7cea 9818 opensaml_3.2.1-3+deb12u1_all-buildd.buildinfo
Files:
 08d050e2879b6da678c4d280a376d5ec 1923876 doc optional libsaml-doc_3.2.1-3+deb12u1_all.deb
 da17dd87df45623e439b89f74fc45a75 24088 text optional opensaml-schemas_3.2.1-3+deb12u1_all.deb
 fb704af3d24073837604f2159996dcc9 9818 libs optional opensaml_3.2.1-3+deb12u1_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEe8x49oT2k+seQstpgDm7h4zfCpIFAmfUsQYACgkQgDm7h4zf
CpKkeA//Yqr+CTVUSeip2h51TBi3dQwqQGNBrluVgBZIfRo7N4BPCgxwLTvm1m8/
G7ZEhPVoNN/kgFMuMABXppvQOEr7EaEdMSAxaCl2Nsh9umkFmHvqiFK3V30Sit7I
KouGfq1+R6hYXCtnYDyqKMuilO+6ofD1dvS//4/n4HvnflKOxWvYkEiyTlIMG5oQ
lHdKs0td3N5FwCSrH2VmIhh9Wu9+gw///jHUxV6CCi+e1LlYKn4zeyIqCaefy8bY
uh5APnQZ6OPQaCvvAy1hJELojeoU/mWZIqcEvbrjco6Od5A7HQAZUbNO+NTPdmS8
/FMZvQJQQB+asuRukfNdWCdaTEAXcgK3mSAEGancZOtzKUj1FFsl2g23gCVcCnQ+
TNNlmHQiideCddRXv/tbOms7QLkoGSDo7OPMTMwes8+wYnR9H0DTeG5RwE6sIpFQ
5/wJ+27onr99Ndh+IXnh+nQErj4Xs+InBXJSwfPLwZBNbrnEUWTG1rjBH/G7eD72
SCHm15KF848C0ARRiVmW3tx+ZtqR2Dk2x134RDZtosawknRv7i9preexp4fj3kSK
uj2lGgL0nHHvt4dxG7gQaWF+oF7DmMDN3341jH4a+FojivnRwz+QKNOBWAaMoTJ+
we1dOpK2jPPbZra5h38mlSGXXRuztHUHopFcUC2C/9ubvjGQSCg=
=D0W+
-----END PGP SIGNATURE-----