-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 21:47:50 +0100
Source: opensaml
Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym
Architecture: ppc64el
Version: 3.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: ppc64el Build Daemon (ppc64el-conova-01) <buildd_ppc64el-ppc64el-conova-01@buildd.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
libsaml-dev - Security Assertion Markup Language library (development)
libsaml12 - Security Assertion Markup Language library (runtime)
opensaml-tools - Security Assertion Markup Language command-line tools
Closes: 1100464
Changes:
opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high
.
* [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
detect parameter smuggling.
Security fix cherry-picked from v3.3.1 (upstream commit
22a610b322e2178abd03e97cdbc8fb50b45efaee).
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or low impact use cases
without critical security implications; however, there are two
scenarios that are much more critical, one affecting the SP and
one affecting some implementers who have implemented their own
code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
The other critical case involves a mistake that does *not*
impact the Shibboleth SP, allowing SSO to occur over the
HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.
Full advisory:
https://shibboleth.net/community/advisories/secadv_20250313.txt
Thanks to Scott Cantor (Closes: #1100464)
Checksums-Sha1:
e65fafd3e8e08aaf307020ad0866787ee9f7ffdc 42692 libsaml-dev_3.2.1-3+deb12u1_ppc64el.deb
290a4fd129ea88f85402d9a1e0c5afc7ddc046e3 10148416 libsaml12-dbgsym_3.2.1-3+deb12u1_ppc64el.deb
2d17b69f15d9ef8c0bc08a5039cb6cae9ad1fcf4 907836 libsaml12_3.2.1-3+deb12u1_ppc64el.deb
2362aab04dd7299da0a478328f2e4205ca94813f 221448 opensaml-tools-dbgsym_3.2.1-3+deb12u1_ppc64el.deb
86011daf0ad1c0c24176b5e134ccbc9f7a097f67 25328 opensaml-tools_3.2.1-3+deb12u1_ppc64el.deb
90fb6ead99aae1792462cc4a47605b45495a1b03 8653 opensaml_3.2.1-3+deb12u1_ppc64el-buildd.buildinfo
Checksums-Sha256:
645005dc5621324c0d6e501ba2c342ead87ca04f30a14268e019b2269794c1ae 42692 libsaml-dev_3.2.1-3+deb12u1_ppc64el.deb
5addf39e086e34015d699751908faa7cca0599ce4e00828548eae72ca5169923 10148416 libsaml12-dbgsym_3.2.1-3+deb12u1_ppc64el.deb
f25587839f6b037bc02b721d7ee1e83558ccfe3faf3eaa29e8268948da6efd90 907836 libsaml12_3.2.1-3+deb12u1_ppc64el.deb
a5f9045032420c953ab25a62e62cbd7be14095ec406721487e8b07981e6581a6 221448 opensaml-tools-dbgsym_3.2.1-3+deb12u1_ppc64el.deb
6281297e33253c3a5c3019b57564fc60afd46ed5f16e70234565f9b140c65241 25328 opensaml-tools_3.2.1-3+deb12u1_ppc64el.deb
00b6780ead26333c181b8c089d8bc1be477e215892f002e4de7ec9e091c3e26e 8653 opensaml_3.2.1-3+deb12u1_ppc64el-buildd.buildinfo
Files:
b20286ecf09e1fcb0da701b8b95e1874 42692 libdevel optional libsaml-dev_3.2.1-3+deb12u1_ppc64el.deb
e276d11c0a4ccbd0715a934b55d7bc9b 10148416 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_ppc64el.deb
0fdaec4851e56f59997c3bdd8d9871cb 907836 libs optional libsaml12_3.2.1-3+deb12u1_ppc64el.deb
ecc52466b5c67e9352ac2185ecb69bed 221448 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_ppc64el.deb
13c199f425cf90f7c3bebbdb262eeb69 25328 text optional opensaml-tools_3.2.1-3+deb12u1_ppc64el.deb
1fbec946a901a3d46171dd2f78f887c3 8653 libs optional opensaml_3.2.1-3+deb12u1_ppc64el-buildd.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvNkWZvjZkiWgJGRETMSrGPLkYxUFAmfUsQAACgkQTMSrGPLk
YxUtBhAAsymuo0AsKFhoKWph9Bn+RmjIc2y+78VRGOT5YO+IJKGg288dkGoTAtQy
349Tto6hDBj3Dxds8DVYkysACuFtYu1NrE994R8o3IuyFrE3iHWDQI6k6Bx2Zvcg
+S29jeu3KVh6/tHSiyStTs2QumFw0vcaBfvLPBnRnoxB00mtb8ScPTUi1FM/EqZM
xYkejXLTIgfbGsM5nvhGsOE0xWiHB0QhRhLkMxYUq2YGhDJ1L4UeAENdjb9hs8QU
r3NGM9fXsNEegIo05Ay4CysfumBHQMHX5taDzn7SA4PNApciJd/osAwINeuy0Mp5
YYaB/ni/KHRX2koRLtHn/NeCd6fbzQgwaV75Xpd79EY6lH3jk9mcwScgFJ/i2dHU
OTBvbND76E+3Bm8g4QZL4gbd3IarYFBvmAY5wwxIPSZQmJkGUz+RK9MX03gPRzac
A9GGZ3B/XmaFDbNCLs6gM4hNeERmhUagZu2F2vwX8qLZhcPqCeYLLU+qelXSfLci
Z6Mz9Nnq0Ekrj7H2L2o+e94iYSj8U/iccSW1WlFpXoUsrkV9sDnpAwkJ65x3LYN0
8iDhOSF8+uWs3NvzSyv7cO7YuXj5MPVjbZEbgUPdWGuaoYAVRGEJQ867+suS6zn/
H3vkbTZRN+oI0M4iVNQqA3CKhCZjucn0lvh/JLkaXF08Z4Lf+VQ=
=Eff4
-----END PGP SIGNATURE-----