-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: armhf
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-04) <buildd_arm64-arm-ubc-04@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
40d7ac231cee37b86816ccae56256e5d6347f801 42672 libsaml-dev_3.2.1-3+deb12u1_armhf.deb
57eae906a308c681f8309f7723a520865e239115 10325244 libsaml12-dbgsym_3.2.1-3+deb12u1_armhf.deb
e940fbaebc6b1830e2bd7caabffec3196f39a8c2 785084 libsaml12_3.2.1-3+deb12u1_armhf.deb
e3f343ad0252e7f8950f4b29ba780a116cc50ba6 223024 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armhf.deb
5ac411c0ad9ba649d3e4c21a90138847cad68297 22584 opensaml-tools_3.2.1-3+deb12u1_armhf.deb
28b8cd8926a267b94d0ff3d155223e42922fdb78 8514 opensaml_3.2.1-3+deb12u1_armhf-buildd.buildinfo
Checksums-Sha256:
686131219126734b2cb4064d08539ea4de4df92c534a5bd2754c28e93781055d 42672 libsaml-dev_3.2.1-3+deb12u1_armhf.deb
73481d0774d2905eb5f1f81665e53fedd68c0ca85d79774a991251c77726b654 10325244 libsaml12-dbgsym_3.2.1-3+deb12u1_armhf.deb
b9cafcbf44ca8f1f9d5f6f65a666ff2da60bbc97d1903a9f90ab51128328443a 785084 libsaml12_3.2.1-3+deb12u1_armhf.deb
cf6a70b1acffb6f199d099f78c74ea0bc21e5420d1b67fbccd7e177e219c705c 223024 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armhf.deb
77500ea787157454decd01abb2faed64ec19b26219349bb8e25ad315a329d016 22584 opensaml-tools_3.2.1-3+deb12u1_armhf.deb
297065cfb5d285f6bf6f04f4db87ebec0394821d852ed62cdc8ceabb8e24db47 8514 opensaml_3.2.1-3+deb12u1_armhf-buildd.buildinfo
Files:
df10afb2cd77c3eb27c82be6431e7fcd 42672 libdevel optional libsaml-dev_3.2.1-3+deb12u1_armhf.deb
b9f9d937ce4aa671e324f3b39087b3a9 10325244 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_armhf.deb
a823905aab51ace7beecb4d4a166d1e3 785084 libs optional libsaml12_3.2.1-3+deb12u1_armhf.deb
b9bca397cacfd08107727613f5abfa04 223024 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_armhf.deb
9538da4586de261942f1d9f6fbbfeb47 22584 text optional opensaml-tools_3.2.1-3+deb12u1_armhf.deb
dd71272aab566cf0943cf435c87261bf 8514 libs optional opensaml_3.2.1-3+deb12u1_armhf-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6s8UzO+WAx8RRAOV80lOEvgzuSsFAmfUsy8ACgkQ80lOEvgz
uSt9uhAAhAkd6Sh/dYKX9cgfOyYl7+TNjecVbmQc1mUYgWs2pxrVc5u+0Fup+yFs
d7c2VxbR2/YEY2uMMOm6h9MNqYHkwlr/qCFlbuWO0XeDRITYHioqE9WPdOibo0hZ
0mpG9nxDz1LnPRPdkJZ3Aw3ccR91iltOxY37CEKCjAK/B5ibyFC2JiDcmNjYNrk+
0vi49Z+LUBmemUnYrYH/lXwC4e8R5Ua4p896MxNUWRcHpHFBj38SE2WMBneZNwSz
mQRS7UZaKAwUShXjMAmzNTVFoCCCUE8L8oAlLPEhI2nIhlfUBUILHnEJkTFc45X8
J7HPkJ4oi/zpoJyub0Dpc38xmayksyObU2loO6L3aFyfZHG4OEl2WFnK1Dmh5GSh
zD2gN+TQBGfP37A9lQIy9dJXmOpAipV4Nuu8pjnMvE7CtZVJ1AAETxk+vFihh6/F
pH6MiLsgwQlq9CGr8XVsmyVgHRfSAZN7LONFFpSeE9RFSlGt/lhXsXWmKylFopSd
WyKsRaECELfm6Q5oZeV3ytpY7OfCtwuLE2YTA8vb96UuURNj8XTMxMeHj1aBT7S9
K6Y9ZGGlrGFyHSnsAiwUsk94GHkx/SZXnw/dEugln/MWr7VkEPM3md6WcutxVWAk
k7tWt8Hr5H1+lDTuoQy9dRO15rwui1htkYN/Efrj5GrqMnhEvi0=
=sz0C
-----END PGP SIGNATURE-----