-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: arm64 Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: arm Build Daemon (arm-conova-03) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 34709b3c842b03e640dd9ba0cf968a706eb67f99 42680 libsaml-dev_3.2.1-3+deb12u1_arm64.deb 60a7c051b6a3ef95c15ae35e7ba18b391e64256d 9954052 libsaml12-dbgsym_3.2.1-3+deb12u1_arm64.deb fcf92c20ad25a7ade6abfa5fca4283f182350018 873112 libsaml12_3.2.1-3+deb12u1_arm64.deb 8bee43d01207c605642bd0e653e95c3862c15126 221208 opensaml-tools-dbgsym_3.2.1-3+deb12u1_arm64.deb 1c2d81828d7d1e6fcc58fbd3d2278d46a864b2f2 23676 opensaml-tools_3.2.1-3+deb12u1_arm64.deb b97ce448e3adfeea6444f21b2fc10746003241a4 8635 opensaml_3.2.1-3+deb12u1_arm64-buildd.buildinfo Checksums-Sha256: cf323b5d2b7d30771b3a49119f4c403484eb13542617476141411344d9a25720 42680 libsaml-dev_3.2.1-3+deb12u1_arm64.deb c786500f00239b985e3d267766652330ec6f3c3e5567997ab321f57124540795 9954052 libsaml12-dbgsym_3.2.1-3+deb12u1_arm64.deb 71530075b70eba9850982d2f8158c08ceaf092bd2f8eec139f529435f7c0988f 873112 libsaml12_3.2.1-3+deb12u1_arm64.deb c6d53321e9da1a9515a586d316b24a1c5d7f40d1e0ea85025e301e62c1cc0a90 221208 opensaml-tools-dbgsym_3.2.1-3+deb12u1_arm64.deb 951efb53f79b36627e099558c34d1e31b7e9185cebb23d6cb7d65a1927b54a5f 23676 opensaml-tools_3.2.1-3+deb12u1_arm64.deb fa7d473bf9f2368d18d744dcb16e12083322063aaafb066ed814fc13e19b36f2 8635 opensaml_3.2.1-3+deb12u1_arm64-buildd.buildinfo Files: cec43d18b9c48471a9a8dee5c32ed233 42680 libdevel optional libsaml-dev_3.2.1-3+deb12u1_arm64.deb 9d253223083f300ca4eaf6447df8405f 9954052 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_arm64.deb 1d1fa7f671d62dbc743407c56ab129bd 873112 libs optional libsaml12_3.2.1-3+deb12u1_arm64.deb a9ed04f544a1e9810622e7e853b36194 221208 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_arm64.deb c103f2a16290a281c0d90c99c2c68c13 23676 text optional opensaml-tools_3.2.1-3+deb12u1_arm64.deb f7408a34a2157945f0d12165b9eb9696 8635 libs optional opensaml_3.2.1-3+deb12u1_arm64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVM4SKBZumztS8zr3lST9Us03ywsFAmfUsc8ACgkQlST9Us03 yws0uhAAysdoDDwybAKXaVBU48rTng6AvLDjq6c2hFljYPwBdaTQXRScy4HGYp3Y JT+jrDyOBAIe3P5CzeulLW8H8UHruGbBpEpB9wUl31PXYq/iQSNhDaWXvm1sqoOa JxAn7pEv4uw/r0o2ucUCtVOhc2jd1ZkAYZqI5H7pyDek+vhPkwjOcKjfbVwKkBjH atSpdl8inFKG7fpmEaimYiaQOd6+zt7yIZf04M0Nob729ijlak8VoG1f7+zb2UGA 2fhbNT323VICKxEHJg/tHftSUuRC9ss2NAwZ+i40WuDqYi9OIxDbl/j2y0bKTVhF Tjr66ahIVYsdczTOFJ8yeSRJmbdJLZMY1fP6gELATuIEZc/sYGk35RNM3fDVZ+mb 2RS+PTiWOYdGuP2CxM9XJolHDZwG3DtfD7pLJv5ZVZs4ZNU4jRK2VOf6eODAWvBK 3fYcRVT4aBmgyHxQbvvRQsiP8d4bOZ9Czl5mmYjQ50maP1tF5PAHlr8hoTsWpEaO RCdDBp3RxxMNZagJCBllw/VMVrqDXq99sbS76+oRdPWrEyAvDBLMXRhl2XoTC1EP urgRp19oeQHJyZayWYHbKgBbpt7Wg3KtoKp6JHQd+yNH0jyNhS70ZoKHwZgdj6hJ Hr1XjNczSZNLazGxR6ezLnYhpZt0fh7rzsuHp4J4se4/60610Gg= =KShG -----END PGP SIGNATURE-----