-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Architecture: source Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Shib Team Changed-By: Ferenc Wágner Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 22cd592016a1f2668925c004fd5873ebb365769a 2769 opensaml_3.2.1-3+deb12u1.dsc 046bd41c342174050be8ee370ba681c6a45c76d8 600699 opensaml_3.2.1.orig.tar.bz2 8b962fb6269e4c524f8681226ed52ffa807d6a42 833 opensaml_3.2.1.orig.tar.bz2.asc 4b56709c4c0b64b633837f26a980b8ee245bbebc 20452 opensaml_3.2.1-3+deb12u1.debian.tar.xz 5b36473a702919f4123b17fb236f20cc233bb082 11770 opensaml_3.2.1-3+deb12u1_amd64.buildinfo Checksums-Sha256: e6108b5348f40a95cc2f972325de5c8eb38b358e702dd05e35b04eb18361df11 2769 opensaml_3.2.1-3+deb12u1.dsc b402a89a130adcb76869054b256429c1845339fe5c5226ee888686b6a026a337 600699 opensaml_3.2.1.orig.tar.bz2 406847d5adee9400ddc4646580cafd9bd727a8eecb955fb0987a05ec0f2159e0 833 opensaml_3.2.1.orig.tar.bz2.asc 7c5c1470b5d9dab3fcabca1d7683525dbeee8f566977d7aaddf7040f24db0fd0 20452 opensaml_3.2.1-3+deb12u1.debian.tar.xz 641e7f422c7f3bfc41ee4b01f47c4d7c87ec6e2c82868c769df699d1fd5747b2 11770 opensaml_3.2.1-3+deb12u1_amd64.buildinfo Files: a025e9c730fa564cc162dc9fb1abed4e 2769 libs optional opensaml_3.2.1-3+deb12u1.dsc a4c08783eb5078be3bbe2ca6b6c7b806 600699 libs optional opensaml_3.2.1.orig.tar.bz2 4d2a57e6af9cb2d36702352e1fd8b806 833 libs optional opensaml_3.2.1.orig.tar.bz2.asc 464f94347af15f78b0e7ad5092b0db18 20452 libs optional opensaml_3.2.1-3+deb12u1.debian.tar.xz 066fd348e10cd1c34b27323a62fc5277 11770 libs optional opensaml_3.2.1-3+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmfUl54ACgkQOsj3Fkd+ 2yMwIxAAl3Qq18XRVULWG1oaM3CBqYt0DpZUfVWp81Fwbpwc33M+SGhXm8NQgau8 A6myAinVKNnJ0uoKQxu8JeU7uG7/neRHwFotX/cYq285VceMn0yI7xQiOU7wc/2N oKAvIb9UvgIYbb1hzmNcnhWln8mlyIhTDRSfU3CF2ZB/9W+DSvOhbAPUocws1VR+ 5wSESfE6BeBgJEahX9IA2TcOZPgia8qo9pcSkK8ZG+46Ky7kYPo3zsM7mSJTU2O0 bMtSAoZcTpCoqYgC5FHP/SobJrLjs68wINXrD3vjbLfXC81ehjybUDMUAGnd/ayP ImES2YzTwELpMWnd+TIRIKP03cvt4waG8EMlsNE8PmcbWftjaNR+5x8JnSdJM3Va gzz6NkgR8I8HpKelyInBVxL8jY+Yt5pHYa/457AXV6ycwW6gvVgCkh9Jit5p+cPD NgPcugvvLCEq6w2s4789Gadzi3NgDqOpzz0w0E9Y84KK/Mun7806YGyhB/2gznu+ 8w5hMDcLjwIlyzpWhCIHdXiHtiikZ7h6PgoEV+q4fMgPxeFpJ9W5EC+S4imVgzPa 7ifkVxoV3mZhI2V9kYjGW75Wy3E7tz56/i6b9QjPgl/XJg6/bbyI148gFPdiK0Sj OxhceeIRyhnHPx4gnH8m5Qsicpb5iUNpIX6YhqJ83zd6Ix03PcI= =nInB -----END PGP SIGNATURE-----