-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: s390x Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: s390x Build Daemon (zandonai) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: b12bface9d33768e9959c880b06b0068ff7f0b5a 42672 libsaml-dev_3.2.1-3+deb12u1_s390x.deb b59ccee6a1a970709bbda0326a236df924a5e7b5 10094300 libsaml12-dbgsym_3.2.1-3+deb12u1_s390x.deb e3e0b4bf4543c0d90ecdf2b11bd989ca7e9f77da 853580 libsaml12_3.2.1-3+deb12u1_s390x.deb bb075a67013a862508c5e609314b601b6bfc395c 219936 opensaml-tools-dbgsym_3.2.1-3+deb12u1_s390x.deb 588d92ca8b612697ef99d47fff7b2c44a7464bae 24004 opensaml-tools_3.2.1-3+deb12u1_s390x.deb b63aa23105bf2b90e8a8e2023ff3e4eeff6ed1df 8534 opensaml_3.2.1-3+deb12u1_s390x-buildd.buildinfo Checksums-Sha256: 1bc05839c10b30ec18993f840ab70ce2bcfb63662d4f4e1b617a87b81ffaa9d4 42672 libsaml-dev_3.2.1-3+deb12u1_s390x.deb 258608326c2426d9889279146c6d6bcfb231a08615315dace941451215247f27 10094300 libsaml12-dbgsym_3.2.1-3+deb12u1_s390x.deb 64911586adaf79118bbd47c55eb8a1f75c9ccbd65768d2127d527f8a77335277 853580 libsaml12_3.2.1-3+deb12u1_s390x.deb 993741bed70f1e9a3c8f74532005ad632eb2f63a8a0f08a694c1bbaf6ce694c9 219936 opensaml-tools-dbgsym_3.2.1-3+deb12u1_s390x.deb 1b7ddbb10b03589d99845fe9de7ec10861964611a9df33901cc3562c6c9f48c2 24004 opensaml-tools_3.2.1-3+deb12u1_s390x.deb 01835c421b5037f52ba4275aa2845ee3ce7a813d910dcb8932f282f5414bf17c 8534 opensaml_3.2.1-3+deb12u1_s390x-buildd.buildinfo Files: fd01f5652055faace572f81e2e047648 42672 libdevel optional libsaml-dev_3.2.1-3+deb12u1_s390x.deb 7d8cf044a1f1664432d7f4f2b11eee5e 10094300 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_s390x.deb 74f0eb5e168d0b18919c5a525331d4a1 853580 libs optional libsaml12_3.2.1-3+deb12u1_s390x.deb 795420562abf2c54d132d03a14af8ce2 219936 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_s390x.deb ce5776c33af223fe4d55489b635c40f6 24004 text optional opensaml-tools_3.2.1-3+deb12u1_s390x.deb e7dd77bf46ca11b3f529aa3b9033209e 8534 libs optional opensaml_3.2.1-3+deb12u1_s390x-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu0D/YpnnSxv8epH9AKOyQzsWVasFAmfUuMAACgkQAKOyQzsW VatoJg/+M+DrqdZT22f1XalNqWBmxg3IBtDsjkZUS849YTY5F8sKVZ5dn2Gw4nF+ +6tVtZM4+UkrPp6o7nbOP5eJ7otV6rgMH2TI8x0Eh7YWuk1b4hGVr3rNtaWTFHCh geJ2iBl4cJ2dZyUoWTCdn9A9tjPygzsg2N+KXbkNnV2iZDG8iObNjYwtRo6rtP5a PEjdl0mguHm3sseSJpMZbv0Gn7UFOl1OAjpnYsZkHivZWT1xrkwvjxaoDx06fWgq TfY72MeBiRMRn0jyyCpzr2FwOozzwpuNcDbLQgX4U8PUbf+zFMudntzHC1hJvzse 814tx3Z6wmNiluZvUuDzyUu266KV7vJ39Nz9JmIwM4HrN7q6xQQ/V4siHZI72uSM LDAIUtLFeF2Osp1pGzk5/hTJJ7P2xQg3XGXnQopZpAhzqdbWGocnr9BUWWFIZUTw 37nKXtXJuT34JvoAewGuQWGBoFCwaR5r5GJX1r4my/wCaaM22kO968UaBo9Sql8R mFv/2D+6zTQRaep0qbyE2HdNep+9EaTGKyQR2Q6X3nL9yXZY9Fsx+j+BjBCj3S+l RuQGa42z7/Iz7GyGhoE8424JPhmXivTK0e2JtoG1Szn20WebV2gfb9TdkNmLHvaZ heeYFha89CGPeTpDrsmWSIJYm0K72o4yf+CvrAWC4ypFXtjMxdM= =4HlZ -----END PGP SIGNATURE-----