-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: mips64el Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: a31de20f9f4eb781e4e8bdf1b1fdd315c9a48e92 42688 libsaml-dev_3.2.1-3+deb12u1_mips64el.deb 85d1d51c2b4b06a8e00ca231d75db57175a0070d 10126548 libsaml12-dbgsym_3.2.1-3+deb12u1_mips64el.deb e60fcfa5fe972b08cf1d1b866ce6ea21f33a0247 792772 libsaml12_3.2.1-3+deb12u1_mips64el.deb a131de665b507e34b5830f3f1a44db64e89e6ad4 222920 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mips64el.deb e12d0d4c82c7bef314a47b2a4554447dc2d157a2 24208 opensaml-tools_3.2.1-3+deb12u1_mips64el.deb b2a77d44136fc5ea45dc7a107bd6ef4584fca213 8518 opensaml_3.2.1-3+deb12u1_mips64el-buildd.buildinfo Checksums-Sha256: 010dd3ab1c366b5bc93931ab2b1fcabff4c0d7911d5d5f2ca591b7b0d98d4f00 42688 libsaml-dev_3.2.1-3+deb12u1_mips64el.deb a2a7debcc13445c96fee8fdaf24c3bc660961d457b98a288ebfff4f2f5cd0b33 10126548 libsaml12-dbgsym_3.2.1-3+deb12u1_mips64el.deb 9ff5b8a9c584ea26f2d45ba8e49e66ece654eee5019cdbece074317a69bf5b1e 792772 libsaml12_3.2.1-3+deb12u1_mips64el.deb f0f102d907b40fab679b73a079b7207bf385e99ef69da51c22bb70d26683f51f 222920 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mips64el.deb d13177e91ce8f9ecf2eeaa3b37afa6c85d1c9547dbab5ad64d228da8bf70bfaf 24208 opensaml-tools_3.2.1-3+deb12u1_mips64el.deb fbaca0f8fcccd9ab97f8556404d877855a95d9ff9bea6ee430495691a2298854 8518 opensaml_3.2.1-3+deb12u1_mips64el-buildd.buildinfo Files: bb3b3f4806679d77daf09716d9b772f7 42688 libdevel optional libsaml-dev_3.2.1-3+deb12u1_mips64el.deb 28ae9e4f2e0908e71ed25800377870e0 10126548 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_mips64el.deb e7014348d73c5c9673e492fd95a08d67 792772 libs optional libsaml12_3.2.1-3+deb12u1_mips64el.deb 10920b616d8020e5edfba47ea2013f88 222920 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_mips64el.deb 5af28acd1011ffaaf39e02074c768a09 24208 text optional opensaml-tools_3.2.1-3+deb12u1_mips64el.deb 69f239fc89e4ad357148faec59200e20 8518 libs optional opensaml_3.2.1-3+deb12u1_mips64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEesE3YcWKZXIkRPMemf85J+x5/aoFAmfUvQMACgkQmf85J+x5 /aquCg/+PbzUwWYG9Mmet5RKvVQqr3+xhRtr9GjFhjjW6+CMhdgA4/9Mu07wDZIr uTRx+t5RZzxd0Pd41fRW/hz1QKx4mZ0nN6PK1DGEhZnvZxA+smWNl/6fyMJxNU7s yDq06QETga/AngBKKrGZbCELUBOF7B7IiNeR/gYzPBn2W1tKA4wKmr/h9RldPKWW fxQg5U1Zt5c9pSlkFWXkWdYOanwj5crqy0rU0Xf7rRcGsfB1zXGXzlmxRQE3jvev ZJT6Ei9ZkWa4SWffAje64j9Ki76awrrltW8ATlZOVsdwB7MewXN3VL4GZobQCKxD FL8bd9/PYzA3laOt3FEBSWskM/RtyP/hc/i4ORlJNbTaKVGckU6tUpcDGyzIyKCq GqpUWsqk31C5+W6JdGQIWgN4g6oe4oMCSeD/glsaIYpADWnjWBwv4MU6X5kZfCUU R7Hue13t8I7xBrf0a1i5EtkUyY45MuVBqrzoers341YJ1N87vzi84yMn92LhDn1T RxTw92bU+SuZGFaiVpDtKqQ7Y5VZP/sAHmIQRusfXHWQ17BQUnIot/Qb2UhaBbp2 wua0NsUcvCZ2RIdeqqOOreNM8/rtaTIsVKgvQrrAcCcfQKdUnyqZY/e39cpBCJpa EfxPruDsTN+pyrJDTAQN9EU9jhbArEDMNbOZAasELa1DyNftzTg= =iTqN -----END PGP SIGNATURE-----