-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: armel Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: arm Build Daemon (arm-conova-02) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 94850223ec22ce08d410268d9efbe38955b943ba 42680 libsaml-dev_3.2.1-3+deb12u1_armel.deb 7931fc93bc46b2e47ba181d063fe4b5e8b95569e 10317624 libsaml12-dbgsym_3.2.1-3+deb12u1_armel.deb e5ffce450275e65b52f74a34a788a99b6cbab236 769256 libsaml12_3.2.1-3+deb12u1_armel.deb 5890feff7c3263e5518651eb8f172ee6ff66a58a 222816 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armel.deb 9f431727066b34aea810f5b5e1a953a15a6ccb35 22384 opensaml-tools_3.2.1-3+deb12u1_armel.deb cb2df6790ff530543f916de6c84c92ced499058f 8512 opensaml_3.2.1-3+deb12u1_armel-buildd.buildinfo Checksums-Sha256: 232d174590ad8f17f46252179ddc08fb4878ed835d4ac6572d9e8c9f51eb0812 42680 libsaml-dev_3.2.1-3+deb12u1_armel.deb d79b103d5c5d9aad208dc0ca060caca36428c44d339aee9f79f94caad976cc74 10317624 libsaml12-dbgsym_3.2.1-3+deb12u1_armel.deb fd3f3b887cad0c11a51a6a1fef20aadcc79e0f6eff3f3c291a0232d5ef5c249c 769256 libsaml12_3.2.1-3+deb12u1_armel.deb 0e74c2b31e80225b9351fa97b083cc35dd499a0bb4cae233089346d7f322d685 222816 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armel.deb 4a2c5c7d85931f825aca106825016b5adddeb2ba638a3835a9e6d72eb7bbb74c 22384 opensaml-tools_3.2.1-3+deb12u1_armel.deb ffb7c55b89194ded04276a88af60e8463eadcb0fab2c8ebb15dfd0b1d2ed0089 8512 opensaml_3.2.1-3+deb12u1_armel-buildd.buildinfo Files: 097eca6402a593a6447428deea15f3b2 42680 libdevel optional libsaml-dev_3.2.1-3+deb12u1_armel.deb 34dfd0ee54048ab9dad9ed7e56830f98 10317624 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_armel.deb 86e89ea466a766b5b65656748fa4a6d5 769256 libs optional libsaml12_3.2.1-3+deb12u1_armel.deb 15489228ac86f5661cb9ad6368cb0dec 222816 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_armel.deb a85417b7b7162b853f65b188d01ce3ba 22384 text optional opensaml-tools_3.2.1-3+deb12u1_armel.deb eb8e3fde5b878a735784f9bb1beb3a31 8512 libs optional opensaml_3.2.1-3+deb12u1_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKAzExpjGvTI78ZO8LARVyvnD3xkFAmfUsV0ACgkQLARVyvnD 3xm1ghAA0eGA02AH1GYhtWPohMzWap07H7Ji+Ix7pl1jhqc3qJSFsaMR3uQnmg0r tO0/0nx+LhNEYdcH9GZGaqMsrIjd3dYNTLclvTBGNvGd4kLSTc7Mit7vERpkOpft nlSKTLALPfF8LPVCtYuTxUM+it8VGyDVmmMF+NpcAGzKuS/jwOpBxRboh3nQL1JN vOOumyyDxh9n7P6w5Y4nVjD1i9I5CIVW3784jZZ2Xw56PLtQ23NXfo13dnHMEg+k c4rptpOIAHecWt+HfTW1EaVJvWG11ykd4xuSXZNnRF+iNhNK+lvughDGa3Lfv+lP bdkmHicONYmVJ8dLIaO3VASvU0McBErqj2Dff3UOBp15d2ME3ZkQWn98iozGlE5O Bmclugld85mlf2A4xPxmsG0sCEIl2dLV5kgxZpOzIXOmR/8P5SdJXBCdmQc0lNww 8UE99Pp3NfCzhSJ8xZRW4ES6HjW2Wc/BYv8HXO6kp5M771GsS43gv84Am54WgOSq F+/pgHyy1uRtqoA3xK5KyBGx2P6HnOJofQwpvpK8kDN6HyzJfrFZQsJ5R/2JKz7E oyGY6/24onNcPTWa9nwKCUt3PoQIBp+xwJ45BbrhIX+gwuLhn8WVuSKJNOzsmI+8 hsVlB08GYkUKoNer0anLSd4cdgYKP7gntMrylsVsv5KalGjoRGM= =jLO+ -----END PGP SIGNATURE-----