Univention Bugzilla – Bug 46480
simplesamlphp: Multiple Issues (4.2)
Last modified: 2018-05-08 14:57:06 CEST
UCS-4.2 uses Debian-Stretch 1.14.11-1+deb9u1:
CVE-2017-12867 5.9 The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
CVE-2017-12869 7.5 The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
CVE-2017-12873 9.8 SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-12874 7.5 The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
CVE-2017-18122 8.1 A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
CVE-2018-6519 7.5 The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
CVE-2018-6521 9.8 The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.
repo_admin.py --cherrypick -r 4.3 --releasedest 4.2 --dest errata4.2-3 -p simplesamlphp
OK: The following patches will be applied:
[4.2-3] 6c76c614c2 Bug #46480: simplesamlphp_1.14.11-1+deb9u1
[4.2-3] ed9aed4b6f Bug #46480: simplesamlphp_1.14.11-1+deb9u1
Seems like CVE-2018-7644 is also fixed in this version, please verify. https://security-tracker.debian.org/tracker/CVE-2018-7644
(In reply to Erik Damrose from comment #2)
> Seems like CVE-2018-7644 is also fixed in this version, please verify.
[4.2-3] b5bd4c2445 Bug #46480: simplesamlphp_1.14.11-1+deb9u1 Fix
I've removed CVE-2017-12873 from the advisory, affects the jessie version only and we have the stretch version of this particular package already in UCS 4.2.
* Upstream source package imported
* UCS patches applied during built
* Package update works
* Advisory: Ok
@@ -1,8 +1,16 @@
-1.14.11-1A~220.127.116.11703101227 [Fri, 10 Mar 2017 12:27:29 +0100] Univention builddaemon <firstname.lastname@example.org>:
+1.14.11-1+deb9u1A~18.104.22.168803051050 [Mon, 05 Mar 2018 10:50:09 +0100] Univention builddaemon <email@example.com>:
* UCS auto build. The following patches have been applied to the original source package
+1.14.11-1+deb9u1 [Thu, 01 Mar 2018 20:16:49 +0100] Thijs Kinkhorst <firstname.lastname@example.org>:
+ * Update by the security team for stretch.
+ CVE-2017-12867 CVE-2017-12869
+ CVE-2017-12874 CVE-2017-18121 CVE-2017-18122
+ CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01
+ (closes: #889286).
1.14.11-1 [Tue, 13 Dec 2016 08:24:57 +0000] Thijs Kinkhorst <email@example.com>: