lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 1 Mar 2018 22:15:39 -0800
From: Thijs Kinkhorst <thijs@...ian.org>
To: <bugtraq@...urityfocus.com>
Subject: [SECURITY] [DSA 4127-1] simplesamlphp security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

-
-------------------------------------------------------------------------
Debian Security Advisory DSA-4127-1                   security@...ian.org
https://www.debian.org/security/                          Thijs Kinkhorst
March 02, 2018                        https://www.debian.org/security/faq
-
-------------------------------------------------------------------------

Package        : simplesamlphp
CVE ID         : CVE-2017-12867 CVE-2017-12869 CVE-2017-12873
                 CVE-2017-12874 CVE-2017-18121 CVE-2017-18122
                 CVE-2018-6519 CVE-2018-6521
Debian Bug     : 889286

Several vulnerabilities have been discovered in SimpleSAMLphp, a
framework for authentication, primarily via the SAML protocol.

CVE-2017-12867

     Attackers with access to a secret token could extend its validity
     period by manipulating the prepended time offset.

CVE-2017-12869

    When using the multiauth module, attackers can bypass authentication
    context restrictions and use any authentication source defined in
    the config.

CVE-2017-12873

    Defensive measures have been taken to prevent the administrator
    from misconfiguring persistent NameIDs to avoid identifier clash.
    (Affects Debian 8 Jesse only.)

CVE-2017-12874

    The InfoCard module could accept incorrectly signed XML messages
    in rare occasions.

CVE-2017-18121

    The consentAdmin module was vulnerable to a Cross-Site Scripting
    attack, allowing an attacker to craft links that could execute
     arbitrary JavaScript code in the victim's browser.

CVE-2017-18122

    The (deprecated) SAML 1.1 implementation would regard as valid any
    unsigned SAML response containing more than one signed assertion,
    provided that the signature of at least one of the assertions was
    valid, allowing an attacker that could obtain a valid signed
    assertion from an IdP to impersonate users from that IdP.

CVE-2018-6519

    Regular expression denial of service when parsing extraordinarily
    long timestamps.

CVE-2018-6521

    Change sqlauth module MySQL charset from utf8 to utf8mb to
    prevent theoretical query truncation that could allow remote
    attackers to bypass intended access restrictions

SSPSA-201802-01 (no CVE yet)

    Critical signature validation vulnerability.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.13.1-2+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1.14.11-1+deb9u1.

We recommend that you upgrade your simplesamlphp packages.

For the detailed security status of simplesamlphp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/simplesamlphp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----

iQEuBAEBCAAYBQJamOwIERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawEn6IH
/3wbUbHLQUuTHhS2E+n4u//hv9kE0TUrjXZak47KYo6vFwhxHyDeKAWlDFqwld8y
L6a5OFL9UZNaQbTOh8MvgD7Q9y8dwiGlC2USjBWlA7BO2HunZ2jqy904c1q36d7I
fAH4TszQ7P/k8uxkNCRPH5GZZiiYnZXRtjiC+x2R860jSHvtlLg0/rMKqSdgBKXd
sD5Dkx4oSeXTZiIVJQl7J+d1rUnuxBAidaqcSIgJOzXsOoPHbS7pfczpZ6kte9K6
s6PfSP39OPIfwbFTTxs1q9SBV3lv59QL3tW91i/XucAAyvsUsvqLVN5xRDllAIAc
RjhqAED45Wis3aG2D7c7Rhc=
=6tNs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists