-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: amd64 Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 4f8eff6af690f607fdee86967bb088b4628dfee2 42688 libsaml-dev_3.2.1-3+deb12u1_amd64.deb 9cbddb021bbe18fcbd5a7dcc22dc65166b539b73 10155456 libsaml12-dbgsym_3.2.1-3+deb12u1_amd64.deb 0862f750be0c8429ba3f94d17c9d1d5ed1483ed6 947540 libsaml12_3.2.1-3+deb12u1_amd64.deb 75d6d69ffa28234c26328dacf291be25111183b8 222900 opensaml-tools-dbgsym_3.2.1-3+deb12u1_amd64.deb d61f50e4235ed2da4afdc359b5ad6af465491567 25464 opensaml-tools_3.2.1-3+deb12u1_amd64.deb 72868d9c95f7091c9c48d5ab65005a395bf939d8 8639 opensaml_3.2.1-3+deb12u1_amd64-buildd.buildinfo Checksums-Sha256: 884614e6b40e42d30162fa7d385af7d29f85b1dda21b22a07815dfe5ce44845d 42688 libsaml-dev_3.2.1-3+deb12u1_amd64.deb 889f3ddc05a143ee1c70ef67c3dade3466c3790048b0120a8410d954d4d0b3bd 10155456 libsaml12-dbgsym_3.2.1-3+deb12u1_amd64.deb 9cad49f95f7f8401d2106168fc2d7801cd6e4c436c530acb7b1af2b6c2ee76b3 947540 libsaml12_3.2.1-3+deb12u1_amd64.deb 1a60ee12fa8144c762701bf4b9c1e82116b885bfa68945142648ce74bc000691 222900 opensaml-tools-dbgsym_3.2.1-3+deb12u1_amd64.deb 50153bd6aa0bf5af3db913f6c34dcd14a3840863983f85b4f1beeb4dad72c658 25464 opensaml-tools_3.2.1-3+deb12u1_amd64.deb 9384006543421bfb260fd00e480a621c4c654b25fe1f63a2fbde9a4e96651c2a 8639 opensaml_3.2.1-3+deb12u1_amd64-buildd.buildinfo Files: f2ce93ab9085e5761773f01174937f98 42688 libdevel optional libsaml-dev_3.2.1-3+deb12u1_amd64.deb a313b5c5a519dc2fa1363f001a953863 10155456 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_amd64.deb ef93a6db2da6f1bcf46ae9f7748dc8ef 947540 libs optional libsaml12_3.2.1-3+deb12u1_amd64.deb 1548a2e4ea251bd3febfd466bb16076a 222900 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_amd64.deb 5a1644b43b61debb3a572aca50a7c357 25464 text optional opensaml-tools_3.2.1-3+deb12u1_amd64.deb 7dee97b1949095ba5b4ec22973b09991 8639 libs optional opensaml_3.2.1-3+deb12u1_amd64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGBeuno8wiDXCewDuqqLQG5ksqMMFAmfUsMoACgkQqqLQG5ks qMMtERAAsQlb68Nrun+xGEXwrpwLnz889/wcHJT5zeSDYCS1IMXLQ2MkxwJm06Vc veXsF8a/e+sKQXR10byPpDKAk94xSsmsxE/MwQLuoQWq4sM4J3EYMK/HUFqSWRhD pXq2TBD+NEz5/odt7EM/fZ4peUjIDBqmsiRniEF9dS91iYTppEaXcYqwzwKJYsDX j+heU0xBbUUZ6VvjRkNtIzOk/AKP4HGJ34DKtcXhI0S+R1ghTlUTtj6nOcA4mgey YwvRaEeAggxdn+UHuZIMw0TxQeI6HVxLuzyvq2KqyD63IaovHpUkZu6NzDCvBZxF 2bzbHHGEapd1Yb8+k6/GS3UYU170cBwWxp9RPT+OmQiyPtpLH3jFgSPUpNaAV8PD GPMqxLygkNnQq+d98RXqPqB2sEP2O9C3m/jntsjKCLnlLvHgcheSpk0kP87jPzCF YS/6S507Rvw6+K0YGwU7tt6ppc8N0wSZPNiN8n+CzSvk9wpvO73VvulNwyVN/hdH 0AbyFjhInI3eYWVm4oWdccrXZ/4NRQQHV67spkeq+BcL49iWE6XANuXqZPcvAxav sC6JA8DU8tKne5Oc55ia6kedl2r9mKUs5kAQx3NTvivmcQ4iRCvUrK163ZIK06AL lUN7loL60Axby4zYnwlZa1+sxnktwh9OLcuAeKbCaJwB5fCdkyk= =w1mg -----END PGP SIGNATURE-----