-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: mips64el
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: mipsel Build Daemon (mipsel-osuosl-03) <buildd_mips64el-mipsel-osuosl-03@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
a31de20f9f4eb781e4e8bdf1b1fdd315c9a48e92 42688 libsaml-dev_3.2.1-3+deb12u1_mips64el.deb
85d1d51c2b4b06a8e00ca231d75db57175a0070d 10126548 libsaml12-dbgsym_3.2.1-3+deb12u1_mips64el.deb
e60fcfa5fe972b08cf1d1b866ce6ea21f33a0247 792772 libsaml12_3.2.1-3+deb12u1_mips64el.deb
a131de665b507e34b5830f3f1a44db64e89e6ad4 222920 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mips64el.deb
e12d0d4c82c7bef314a47b2a4554447dc2d157a2 24208 opensaml-tools_3.2.1-3+deb12u1_mips64el.deb
b2a77d44136fc5ea45dc7a107bd6ef4584fca213 8518 opensaml_3.2.1-3+deb12u1_mips64el-buildd.buildinfo
Checksums-Sha256:
010dd3ab1c366b5bc93931ab2b1fcabff4c0d7911d5d5f2ca591b7b0d98d4f00 42688 libsaml-dev_3.2.1-3+deb12u1_mips64el.deb
a2a7debcc13445c96fee8fdaf24c3bc660961d457b98a288ebfff4f2f5cd0b33 10126548 libsaml12-dbgsym_3.2.1-3+deb12u1_mips64el.deb
9ff5b8a9c584ea26f2d45ba8e49e66ece654eee5019cdbece074317a69bf5b1e 792772 libsaml12_3.2.1-3+deb12u1_mips64el.deb
f0f102d907b40fab679b73a079b7207bf385e99ef69da51c22bb70d26683f51f 222920 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mips64el.deb
d13177e91ce8f9ecf2eeaa3b37afa6c85d1c9547dbab5ad64d228da8bf70bfaf 24208 opensaml-tools_3.2.1-3+deb12u1_mips64el.deb
fbaca0f8fcccd9ab97f8556404d877855a95d9ff9bea6ee430495691a2298854 8518 opensaml_3.2.1-3+deb12u1_mips64el-buildd.buildinfo
Files:
bb3b3f4806679d77daf09716d9b772f7 42688 libdevel optional libsaml-dev_3.2.1-3+deb12u1_mips64el.deb
28ae9e4f2e0908e71ed25800377870e0 10126548 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_mips64el.deb
e7014348d73c5c9673e492fd95a08d67 792772 libs optional libsaml12_3.2.1-3+deb12u1_mips64el.deb
10920b616d8020e5edfba47ea2013f88 222920 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_mips64el.deb
5af28acd1011ffaaf39e02074c768a09 24208 text optional opensaml-tools_3.2.1-3+deb12u1_mips64el.deb
69f239fc89e4ad357148faec59200e20 8518 libs optional opensaml_3.2.1-3+deb12u1_mips64el-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEesE3YcWKZXIkRPMemf85J+x5/aoFAmfUvQMACgkQmf85J+x5
/aquCg/+PbzUwWYG9Mmet5RKvVQqr3+xhRtr9GjFhjjW6+CMhdgA4/9Mu07wDZIr
uTRx+t5RZzxd0Pd41fRW/hz1QKx4mZ0nN6PK1DGEhZnvZxA+smWNl/6fyMJxNU7s
yDq06QETga/AngBKKrGZbCELUBOF7B7IiNeR/gYzPBn2W1tKA4wKmr/h9RldPKWW
fxQg5U1Zt5c9pSlkFWXkWdYOanwj5crqy0rU0Xf7rRcGsfB1zXGXzlmxRQE3jvev
ZJT6Ei9ZkWa4SWffAje64j9Ki76awrrltW8ATlZOVsdwB7MewXN3VL4GZobQCKxD
FL8bd9/PYzA3laOt3FEBSWskM/RtyP/hc/i4ORlJNbTaKVGckU6tUpcDGyzIyKCq
GqpUWsqk31C5+W6JdGQIWgN4g6oe4oMCSeD/glsaIYpADWnjWBwv4MU6X5kZfCUU
R7Hue13t8I7xBrf0a1i5EtkUyY45MuVBqrzoers341YJ1N87vzi84yMn92LhDn1T
RxTw92bU+SuZGFaiVpDtKqQ7Y5VZP/sAHmIQRusfXHWQ17BQUnIot/Qb2UhaBbp2
wua0NsUcvCZ2RIdeqqOOreNM8/rtaTIsVKgvQrrAcCcfQKdUnyqZY/e39cpBCJpa
EfxPruDsTN+pyrJDTAQN9EU9jhbArEDMNbOZAasELa1DyNftzTg=
=iTqN
-----END PGP SIGNATURE-----