1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1100464: opensaml: Parameter manipulation allows the forging of sig

    From Niko Tyni@21:1/5 to All on Fri Mar 14 09:40:01 2025
    Package: opensaml
    Version: 3.3.0-2
    Severity: grave
    Tags: security
    X-Debbugs-Cc: team@security.debian.org

    As per https://shibboleth.net/community/advisories/secadv_20250313.txt

    Parameter manipulation allows the forging of signed SAML messages
    =================================================================

    A number of vulnerabilities in the OpenSAML library used by the
    Shibboleth Service Provider allowed for creative manipulation of
    parameters combined with reuse of the contents of older requests
    to fool the library's signature verification of non-XML based
    signed messages.

    [...]

    The SP's support for the HTTP-POST-SimpleSign SAML binding for
    Single Sign-On responses is its critical vulnerability, and
    it is enabled by default (regardless of what one's published
    SAML metadata may advertise).

    There's also a workaround in the advisory for the most critical
    part (disable the POST-SimpleSign binding in protocols.xml .)

    RedHat has already a fix available. Not sure if this was coordinated distro-wide but filing a bug just in case (and copying the security team.)

    I assume stable releases are affected but haven't verified that.

    I'm not aware of a CVE id for this.
    --
    Niko Tyni ntyni@debian.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Niko Tyni@21:1/5 to Niko Tyni on Fri Mar 14 10:10:01 2025
    On Fri, Mar 14, 2025 at 08:34:44AM +0000, Niko Tyni wrote:
    Package: opensaml
    Version: 3.3.0-2
    Severity: grave
    Tags: security
    X-Debbugs-Cc: team@security.debian.org

    As per https://shibboleth.net/community/advisories/secadv_20250313.txt

    Parameter manipulation allows the forging of signed SAML messages
    =================================================================


    RedHat has already a fix available. Not sure if this was coordinated distro-wide but filing a bug just in case (and copying the security team.)

    Apologies, this was second hand information and probably incorrect.
    I think this referred to the 3.3.1 RPM package provided by shibboleth.net.

    FWIW I think the relevant upstream commit is

    https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee

    but I haven't tested this in any way.
    --
    Niko Tyni ntyni@debian.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)