-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: armhf Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: arm Build Daemon (arm-ubc-04) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 40d7ac231cee37b86816ccae56256e5d6347f801 42672 libsaml-dev_3.2.1-3+deb12u1_armhf.deb 57eae906a308c681f8309f7723a520865e239115 10325244 libsaml12-dbgsym_3.2.1-3+deb12u1_armhf.deb e940fbaebc6b1830e2bd7caabffec3196f39a8c2 785084 libsaml12_3.2.1-3+deb12u1_armhf.deb e3f343ad0252e7f8950f4b29ba780a116cc50ba6 223024 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armhf.deb 5ac411c0ad9ba649d3e4c21a90138847cad68297 22584 opensaml-tools_3.2.1-3+deb12u1_armhf.deb 28b8cd8926a267b94d0ff3d155223e42922fdb78 8514 opensaml_3.2.1-3+deb12u1_armhf-buildd.buildinfo Checksums-Sha256: 686131219126734b2cb4064d08539ea4de4df92c534a5bd2754c28e93781055d 42672 libsaml-dev_3.2.1-3+deb12u1_armhf.deb 73481d0774d2905eb5f1f81665e53fedd68c0ca85d79774a991251c77726b654 10325244 libsaml12-dbgsym_3.2.1-3+deb12u1_armhf.deb b9cafcbf44ca8f1f9d5f6f65a666ff2da60bbc97d1903a9f90ab51128328443a 785084 libsaml12_3.2.1-3+deb12u1_armhf.deb cf6a70b1acffb6f199d099f78c74ea0bc21e5420d1b67fbccd7e177e219c705c 223024 opensaml-tools-dbgsym_3.2.1-3+deb12u1_armhf.deb 77500ea787157454decd01abb2faed64ec19b26219349bb8e25ad315a329d016 22584 opensaml-tools_3.2.1-3+deb12u1_armhf.deb 297065cfb5d285f6bf6f04f4db87ebec0394821d852ed62cdc8ceabb8e24db47 8514 opensaml_3.2.1-3+deb12u1_armhf-buildd.buildinfo Files: df10afb2cd77c3eb27c82be6431e7fcd 42672 libdevel optional libsaml-dev_3.2.1-3+deb12u1_armhf.deb b9f9d937ce4aa671e324f3b39087b3a9 10325244 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_armhf.deb a823905aab51ace7beecb4d4a166d1e3 785084 libs optional libsaml12_3.2.1-3+deb12u1_armhf.deb b9bca397cacfd08107727613f5abfa04 223024 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_armhf.deb 9538da4586de261942f1d9f6fbbfeb47 22584 text optional opensaml-tools_3.2.1-3+deb12u1_armhf.deb dd71272aab566cf0943cf435c87261bf 8514 libs optional opensaml_3.2.1-3+deb12u1_armhf-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6s8UzO+WAx8RRAOV80lOEvgzuSsFAmfUsy8ACgkQ80lOEvgz uSt9uhAAhAkd6Sh/dYKX9cgfOyYl7+TNjecVbmQc1mUYgWs2pxrVc5u+0Fup+yFs d7c2VxbR2/YEY2uMMOm6h9MNqYHkwlr/qCFlbuWO0XeDRITYHioqE9WPdOibo0hZ 0mpG9nxDz1LnPRPdkJZ3Aw3ccR91iltOxY37CEKCjAK/B5ibyFC2JiDcmNjYNrk+ 0vi49Z+LUBmemUnYrYH/lXwC4e8R5Ua4p896MxNUWRcHpHFBj38SE2WMBneZNwSz mQRS7UZaKAwUShXjMAmzNTVFoCCCUE8L8oAlLPEhI2nIhlfUBUILHnEJkTFc45X8 J7HPkJ4oi/zpoJyub0Dpc38xmayksyObU2loO6L3aFyfZHG4OEl2WFnK1Dmh5GSh zD2gN+TQBGfP37A9lQIy9dJXmOpAipV4Nuu8pjnMvE7CtZVJ1AAETxk+vFihh6/F pH6MiLsgwQlq9CGr8XVsmyVgHRfSAZN7LONFFpSeE9RFSlGt/lhXsXWmKylFopSd WyKsRaECELfm6Q5oZeV3ytpY7OfCtwuLE2YTA8vb96UuURNj8XTMxMeHj1aBT7S9 K6Y9ZGGlrGFyHSnsAiwUsk94GHkx/SZXnw/dEugln/MWr7VkEPM3md6WcutxVWAk k7tWt8Hr5H1+lDTuoQy9dRO15rwui1htkYN/Efrj5GrqMnhEvi0= =sz0C -----END PGP SIGNATURE-----