-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-doc opensaml-schemas Architecture: all Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Ferenc Wágner Description: libsaml-doc - Security Assertion Markup Language library (API docs) opensaml-schemas - Security Assertion Markup Language library (XML schemas) Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 97b52d69d643eb34fb76f696e29e193a1c06c22b 1923876 libsaml-doc_3.2.1-3+deb12u1_all.deb 0d36e7ac907e0935d899312088085b118421f817 24088 opensaml-schemas_3.2.1-3+deb12u1_all.deb b3e177c95f445b2887dca08a4caa01d2a7264008 9818 opensaml_3.2.1-3+deb12u1_all-buildd.buildinfo Checksums-Sha256: b4ca933a43a97f1eaa2a84147d6f409f30b9022cb6ca749f331c581e1a2abafd 1923876 libsaml-doc_3.2.1-3+deb12u1_all.deb 3b3728ac187e5dc0f83637369a68c7395af9472cb0b6628d8aa89a9669fdfa76 24088 opensaml-schemas_3.2.1-3+deb12u1_all.deb 0db832488526700fcf50c72e37209bf4a07f9e2ab5f69712ec84423efafa7cea 9818 opensaml_3.2.1-3+deb12u1_all-buildd.buildinfo Files: 08d050e2879b6da678c4d280a376d5ec 1923876 doc optional libsaml-doc_3.2.1-3+deb12u1_all.deb da17dd87df45623e439b89f74fc45a75 24088 text optional opensaml-schemas_3.2.1-3+deb12u1_all.deb fb704af3d24073837604f2159996dcc9 9818 libs optional opensaml_3.2.1-3+deb12u1_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEe8x49oT2k+seQstpgDm7h4zfCpIFAmfUsQYACgkQgDm7h4zf CpKkeA//Yqr+CTVUSeip2h51TBi3dQwqQGNBrluVgBZIfRo7N4BPCgxwLTvm1m8/ G7ZEhPVoNN/kgFMuMABXppvQOEr7EaEdMSAxaCl2Nsh9umkFmHvqiFK3V30Sit7I KouGfq1+R6hYXCtnYDyqKMuilO+6ofD1dvS//4/n4HvnflKOxWvYkEiyTlIMG5oQ lHdKs0td3N5FwCSrH2VmIhh9Wu9+gw///jHUxV6CCi+e1LlYKn4zeyIqCaefy8bY uh5APnQZ6OPQaCvvAy1hJELojeoU/mWZIqcEvbrjco6Od5A7HQAZUbNO+NTPdmS8 /FMZvQJQQB+asuRukfNdWCdaTEAXcgK3mSAEGancZOtzKUj1FFsl2g23gCVcCnQ+ TNNlmHQiideCddRXv/tbOms7QLkoGSDo7OPMTMwes8+wYnR9H0DTeG5RwE6sIpFQ 5/wJ+27onr99Ndh+IXnh+nQErj4Xs+InBXJSwfPLwZBNbrnEUWTG1rjBH/G7eD72 SCHm15KF848C0ARRiVmW3tx+ZtqR2Dk2x134RDZtosawknRv7i9preexp4fj3kSK uj2lGgL0nHHvt4dxG7gQaWF+oF7DmMDN3341jH4a+FojivnRwz+QKNOBWAaMoTJ+ we1dOpK2jPPbZra5h38mlSGXXRuztHUHopFcUC2C/9ubvjGQSCg= =D0W+ -----END PGP SIGNATURE-----