-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: ppc64el Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: ppc64el Build Daemon (ppc64el-conova-01) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: e65fafd3e8e08aaf307020ad0866787ee9f7ffdc 42692 libsaml-dev_3.2.1-3+deb12u1_ppc64el.deb 290a4fd129ea88f85402d9a1e0c5afc7ddc046e3 10148416 libsaml12-dbgsym_3.2.1-3+deb12u1_ppc64el.deb 2d17b69f15d9ef8c0bc08a5039cb6cae9ad1fcf4 907836 libsaml12_3.2.1-3+deb12u1_ppc64el.deb 2362aab04dd7299da0a478328f2e4205ca94813f 221448 opensaml-tools-dbgsym_3.2.1-3+deb12u1_ppc64el.deb 86011daf0ad1c0c24176b5e134ccbc9f7a097f67 25328 opensaml-tools_3.2.1-3+deb12u1_ppc64el.deb 90fb6ead99aae1792462cc4a47605b45495a1b03 8653 opensaml_3.2.1-3+deb12u1_ppc64el-buildd.buildinfo Checksums-Sha256: 645005dc5621324c0d6e501ba2c342ead87ca04f30a14268e019b2269794c1ae 42692 libsaml-dev_3.2.1-3+deb12u1_ppc64el.deb 5addf39e086e34015d699751908faa7cca0599ce4e00828548eae72ca5169923 10148416 libsaml12-dbgsym_3.2.1-3+deb12u1_ppc64el.deb f25587839f6b037bc02b721d7ee1e83558ccfe3faf3eaa29e8268948da6efd90 907836 libsaml12_3.2.1-3+deb12u1_ppc64el.deb a5f9045032420c953ab25a62e62cbd7be14095ec406721487e8b07981e6581a6 221448 opensaml-tools-dbgsym_3.2.1-3+deb12u1_ppc64el.deb 6281297e33253c3a5c3019b57564fc60afd46ed5f16e70234565f9b140c65241 25328 opensaml-tools_3.2.1-3+deb12u1_ppc64el.deb 00b6780ead26333c181b8c089d8bc1be477e215892f002e4de7ec9e091c3e26e 8653 opensaml_3.2.1-3+deb12u1_ppc64el-buildd.buildinfo Files: b20286ecf09e1fcb0da701b8b95e1874 42692 libdevel optional libsaml-dev_3.2.1-3+deb12u1_ppc64el.deb e276d11c0a4ccbd0715a934b55d7bc9b 10148416 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_ppc64el.deb 0fdaec4851e56f59997c3bdd8d9871cb 907836 libs optional libsaml12_3.2.1-3+deb12u1_ppc64el.deb ecc52466b5c67e9352ac2185ecb69bed 221448 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_ppc64el.deb 13c199f425cf90f7c3bebbdb262eeb69 25328 text optional opensaml-tools_3.2.1-3+deb12u1_ppc64el.deb 1fbec946a901a3d46171dd2f78f887c3 8653 libs optional opensaml_3.2.1-3+deb12u1_ppc64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvNkWZvjZkiWgJGRETMSrGPLkYxUFAmfUsQAACgkQTMSrGPLk YxUtBhAAsymuo0AsKFhoKWph9Bn+RmjIc2y+78VRGOT5YO+IJKGg288dkGoTAtQy 349Tto6hDBj3Dxds8DVYkysACuFtYu1NrE994R8o3IuyFrE3iHWDQI6k6Bx2Zvcg +S29jeu3KVh6/tHSiyStTs2QumFw0vcaBfvLPBnRnoxB00mtb8ScPTUi1FM/EqZM xYkejXLTIgfbGsM5nvhGsOE0xWiHB0QhRhLkMxYUq2YGhDJ1L4UeAENdjb9hs8QU r3NGM9fXsNEegIo05Ay4CysfumBHQMHX5taDzn7SA4PNApciJd/osAwINeuy0Mp5 YYaB/ni/KHRX2koRLtHn/NeCd6fbzQgwaV75Xpd79EY6lH3jk9mcwScgFJ/i2dHU OTBvbND76E+3Bm8g4QZL4gbd3IarYFBvmAY5wwxIPSZQmJkGUz+RK9MX03gPRzac A9GGZ3B/XmaFDbNCLs6gM4hNeERmhUagZu2F2vwX8qLZhcPqCeYLLU+qelXSfLci Z6Mz9Nnq0Ekrj7H2L2o+e94iYSj8U/iccSW1WlFpXoUsrkV9sDnpAwkJ65x3LYN0 8iDhOSF8+uWs3NvzSyv7cO7YuXj5MPVjbZEbgUPdWGuaoYAVRGEJQ867+suS6zn/ H3vkbTZRN+oI0M4iVNQqA3CKhCZjucn0lvh/JLkaXF08Z4Lf+VQ= =Eff4 -----END PGP SIGNATURE-----