-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: i386
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: i386 Build Daemon (x86-grnet-01) <buildd_amd64-x86-grnet-01@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
29f4e0957881f2b0428b6ec9c5fc3a97eecfc7be 42676 libsaml-dev_3.2.1-3+deb12u1_i386.deb
272b0cf171af32b512bc170c69f73a2af869a391 9737972 libsaml12-dbgsym_3.2.1-3+deb12u1_i386.deb
961f07bd77701302315765715e4f8351280c2455 925036 libsaml12_3.2.1-3+deb12u1_i386.deb
0a593b16dcc89ba4a5267cb2e6ca4d43c9d79361 216020 opensaml-tools-dbgsym_3.2.1-3+deb12u1_i386.deb
3f0aec3be4020431c58da88c8a8f2363fb1cc067 26040 opensaml-tools_3.2.1-3+deb12u1_i386.deb
4bf90ec0228bcea5fa721731666c593a41b7cf79 8583 opensaml_3.2.1-3+deb12u1_i386-buildd.buildinfo
Checksums-Sha256:
a94b394992fd43b2bd08e948cb8950078a0a468c933bc4a9c91a2df81d658211 42676 libsaml-dev_3.2.1-3+deb12u1_i386.deb
5ab19907abb68a359105d33643f2fb70dc978093e66cbf77698fad485f5441b8 9737972 libsaml12-dbgsym_3.2.1-3+deb12u1_i386.deb
4dde02ed1f30eb90a120cd176c6d8b460cecffd863a99866dc59882930368e23 925036 libsaml12_3.2.1-3+deb12u1_i386.deb
25c2300725be7c7c012e02251e9e8654e44d3b409e74d6bb4ad11f4a8e42510b 216020 opensaml-tools-dbgsym_3.2.1-3+deb12u1_i386.deb
18f2d9b162966a5176d25e4889cd915ea3f4537d23f19edcc8b17a712bf471d3 26040 opensaml-tools_3.2.1-3+deb12u1_i386.deb
efd8880cf78547c698755ffb6b5551fb1a4a3577382837cc32fb379b6212d15e 8583 opensaml_3.2.1-3+deb12u1_i386-buildd.buildinfo
Files:
5ea49b937b5d80404022925e5686770b 42676 libdevel optional libsaml-dev_3.2.1-3+deb12u1_i386.deb
42f65cf12beb516eda22cfef220669ca 9737972 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_i386.deb
c62c8a75b12c09fb38347c2072c60439 925036 libs optional libsaml12_3.2.1-3+deb12u1_i386.deb
3536d4d2a14e48e41e2366bfb987f0e9 216020 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_i386.deb
9dd28c55988aad78e5263327844df445 26040 text optional opensaml-tools_3.2.1-3+deb12u1_i386.deb
f0aae8f83eb0e683193f4beab957a514 8583 libs optional opensaml_3.2.1-3+deb12u1_i386-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEyTfXx8sBpQ0Lh3cUU9a0/LcaTpMFAmfUsQIACgkQU9a0/Lca
TpMf4Q/7BX+YVsAm4N0IyKyNdayyzexAMxi+rbiG4t1C3fxeK+rO71cJWCk2NuEJ
yZE5tC+gJlLM5SEBv9loqrlmnaHTugJVyNZ/PYaNfFowRD1j6O6B3dh7z/clbLh+
+um19DpND8eJ3VsBsNfVUDssHJL+W/yVC42pqDN7c9Et3CsAb2G5PN/+N96rxRPF
XYVhvHxgtxSGTe3j4pG8WkbHN15dfVPx8/Ianrd8KaE0YcNo5ANKPRoWQkmdgIwq
l1YgJ3spMyCbRxpVgTGInaEY8yBmVaP5zY0qzBBjxDvZvdMuUMBh8epa60VNbBt1
IENi++SAul8DY5N+WXqaV2itv29EbDsZitl2SPMhKlzsyoEnUf5ak9pV2R9VSS1h
Wspt13uFci3cJEW7iQtgafXt+Cq76TDLSEdIn6v9UcaCWVjIA4xLmlv0n50BT+8d
wbssLGUpufugU3Besj6+s0q/eK/EXURGQcVVoaIdumRF5WqoADiFFmtJXQjAXO4L
pJtUxaP+Hl9wosMTH1r87emdH+AjTxyq9hqzQfZuvLRe509g3xnrDMN+Ko82a1NB
kwHra49K0LVu6t57iZ31iZcu4R4AMz07hxTL9f630SQnxN1CX01xC2bzuDP4x1Ef
1sGKh88lmmuD479h4e64dGoINCelz4KvKHGCEhEAsPj3vBKc4xY=
=PQ2R
-----END PGP SIGNATURE-----