-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: i386 Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: i386 Build Daemon (x86-grnet-01) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 29f4e0957881f2b0428b6ec9c5fc3a97eecfc7be 42676 libsaml-dev_3.2.1-3+deb12u1_i386.deb 272b0cf171af32b512bc170c69f73a2af869a391 9737972 libsaml12-dbgsym_3.2.1-3+deb12u1_i386.deb 961f07bd77701302315765715e4f8351280c2455 925036 libsaml12_3.2.1-3+deb12u1_i386.deb 0a593b16dcc89ba4a5267cb2e6ca4d43c9d79361 216020 opensaml-tools-dbgsym_3.2.1-3+deb12u1_i386.deb 3f0aec3be4020431c58da88c8a8f2363fb1cc067 26040 opensaml-tools_3.2.1-3+deb12u1_i386.deb 4bf90ec0228bcea5fa721731666c593a41b7cf79 8583 opensaml_3.2.1-3+deb12u1_i386-buildd.buildinfo Checksums-Sha256: a94b394992fd43b2bd08e948cb8950078a0a468c933bc4a9c91a2df81d658211 42676 libsaml-dev_3.2.1-3+deb12u1_i386.deb 5ab19907abb68a359105d33643f2fb70dc978093e66cbf77698fad485f5441b8 9737972 libsaml12-dbgsym_3.2.1-3+deb12u1_i386.deb 4dde02ed1f30eb90a120cd176c6d8b460cecffd863a99866dc59882930368e23 925036 libsaml12_3.2.1-3+deb12u1_i386.deb 25c2300725be7c7c012e02251e9e8654e44d3b409e74d6bb4ad11f4a8e42510b 216020 opensaml-tools-dbgsym_3.2.1-3+deb12u1_i386.deb 18f2d9b162966a5176d25e4889cd915ea3f4537d23f19edcc8b17a712bf471d3 26040 opensaml-tools_3.2.1-3+deb12u1_i386.deb efd8880cf78547c698755ffb6b5551fb1a4a3577382837cc32fb379b6212d15e 8583 opensaml_3.2.1-3+deb12u1_i386-buildd.buildinfo Files: 5ea49b937b5d80404022925e5686770b 42676 libdevel optional libsaml-dev_3.2.1-3+deb12u1_i386.deb 42f65cf12beb516eda22cfef220669ca 9737972 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_i386.deb c62c8a75b12c09fb38347c2072c60439 925036 libs optional libsaml12_3.2.1-3+deb12u1_i386.deb 3536d4d2a14e48e41e2366bfb987f0e9 216020 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_i386.deb 9dd28c55988aad78e5263327844df445 26040 text optional opensaml-tools_3.2.1-3+deb12u1_i386.deb f0aae8f83eb0e683193f4beab957a514 8583 libs optional opensaml_3.2.1-3+deb12u1_i386-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEyTfXx8sBpQ0Lh3cUU9a0/LcaTpMFAmfUsQIACgkQU9a0/Lca TpMf4Q/7BX+YVsAm4N0IyKyNdayyzexAMxi+rbiG4t1C3fxeK+rO71cJWCk2NuEJ yZE5tC+gJlLM5SEBv9loqrlmnaHTugJVyNZ/PYaNfFowRD1j6O6B3dh7z/clbLh+ +um19DpND8eJ3VsBsNfVUDssHJL+W/yVC42pqDN7c9Et3CsAb2G5PN/+N96rxRPF XYVhvHxgtxSGTe3j4pG8WkbHN15dfVPx8/Ianrd8KaE0YcNo5ANKPRoWQkmdgIwq l1YgJ3spMyCbRxpVgTGInaEY8yBmVaP5zY0qzBBjxDvZvdMuUMBh8epa60VNbBt1 IENi++SAul8DY5N+WXqaV2itv29EbDsZitl2SPMhKlzsyoEnUf5ak9pV2R9VSS1h Wspt13uFci3cJEW7iQtgafXt+Cq76TDLSEdIn6v9UcaCWVjIA4xLmlv0n50BT+8d wbssLGUpufugU3Besj6+s0q/eK/EXURGQcVVoaIdumRF5WqoADiFFmtJXQjAXO4L pJtUxaP+Hl9wosMTH1r87emdH+AjTxyq9hqzQfZuvLRe509g3xnrDMN+Ko82a1NB kwHra49K0LVu6t57iZ31iZcu4R4AMz07hxTL9f630SQnxN1CX01xC2bzuDP4x1Ef 1sGKh88lmmuD479h4e64dGoINCelz4KvKHGCEhEAsPj3vBKc4xY= =PQ2R -----END PGP SIGNATURE-----