Univention Bugzilla – Bug 48961
Update simplesamlphp to 1.16
Last modified: 2019-07-24 15:03:13 CEST
The latest stable version of simplesamlphp is 1.17.1 (Released 2019-03-07). We are currently on version 1.14.11 (Released: 2016-12-12). simplesamlphp writes on its download page: """we don't recommend using the Debian package""" sid provides the latest version https://packages.debian.org/sid/simplesamlphp
It's a which by the privacyidea app.
(In reply to Florian Best from comment #1) > It's a which by the privacyidea app. wish*
*** Bug 48118 has been marked as a duplicate of this bug. ***
https://simplesamlphp.org/security
From duplicate bug 48118 The current simpleSAMLphp is with version 1.14 quite old. Namespaces have been introduced with version 1.15. An app provider needs to use namespaces with SAML in their plugin.
Our old version from Debian-Stretch still has some unfixed security issue: <https://security-tracker.debian.org/tracker/source-package/simplesamlphp>> CVE-2017-12871 CVE-2017-12870 and 3 more minor issues: CVE-2018-7711 CVE-2018-6520 CVE-2017-12872 NVD has assigned the following CVSS scored: CVE-2018-7711 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value. CVE-2018-6520 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL. CVE-2017-12872 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N' The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. CVE-2017-12870 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers. CVE-2017-12871 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV). By default they are higher than RedHats because by default issues start with 10 and are only down-rated when known to be not affected by an vecotr.
Please add to https://hutten.knut.univention.de/mediawiki/index.php/Security_Updates#Spezielle_Pakete when doing this.
My analysis so far: I could easily install the simplesamlphp_1.17.2-2_all.deb and the configuration files don't differ too much. I needed to fix our ucs-tests because the HTML format changed. Now ucs-test is compatible with both versions. So far, only 2 test cases fail: 10_saml_password_expire and 11_saml_user_expire fail because a wrong error message is displayed: Expected message: Got {account,password} expired notice Received message: Got incorrect username or password notice ucs-test (9.0.2-112) 5777b977d06d | Bug #48961: adjust test to be compatible with simplesamlphp 1.17
(In reply to Florian Best from comment #8) > ... because the HTML format changed.... Note: We have to make sure our theme still works as expected. If that is not the case, we also have to inform any projects that uses a custom theme as well (paedml comes to mind).
(In reply to Erik Damrose from comment #9) > (In reply to Florian Best from comment #8) > > ... because the HTML format changed.... > > Note: We have to make sure our theme still works as expected. If that is not > the case, we also have to inform any projects that uses a custom theme as > well (paedml comes to mind). Yes. The theme currently looks equal.
All tests are passing with my changes in branch git:fbest/48961-update-simplesamlphp: * fix calling of $this->languageParameterName, which is now private * change exception class into: SimpleSAML\Error\Error * add error codes into static mapping by patching simplesamlphp code
@Ingo, @Erik: wouldn't it be best to release this with the UCS 4.4-1 release? This is quasi an API change. Otherwise we have to do it in a erratum for 4.4-1, which is probably worse for eventual changes which need to be done by ISVs like paedml or privacyidea.
The package has been imported from debian and build with our patches in the build scope "fbest": Package: simplesamlphp Version: 1.17.2-2A~4.4.0.201907021436 deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_4.4-0-fbest/all/ deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_4.4-0-fbest/$(ARCH)/ Fixes for univention-saml and YAML in branch git:fbest/48961-update-simplesamlphp.
The patches has been commited as svn r18604.
Latest outcome when discussing the package update said to update to Version 1.16 for easier security tracking -> reopen
(In reply to Erik Damrose from comment #15) > Latest outcome when discussing the package update said to update to Version > 1.16 for easier security tracking -> reopen OK, downgraded the patches and build in scope "fbest". simplesamlphp 1.16.3-1A~4.4.0.201907111745
simplesamlphp 1.16.3-1 has been imported from debian buster. The security wiki site has been updated accordingly. API changes in simplesamlphp has been respected, the patch with the different exception names is only necessary in 1.17. ucs-test (9.0.2-112) 5777b977d06d | Bug #48961: adjust test to be compatible with simplesamlphp 1.17 ucs-test (9.0.2-114) 79ef4f5dedd7 | Bug #48961: adjust error handling simplesamlphp.yaml 21163bef69d2 | YAML Bug #48961 univention-saml (6.0.2-4) 752e319083ed | Bug #48961: $this->languageParameterName is now private univention-saml.yaml 21163bef69d2 | YAML Bug #48961
OK What I tested: Update on master -> OK Update on backup -> OK Test Login at master, backup, slave -> OK Test session sync to backup -> OK Test nextcloud with saml -OK [4.4-1 cfd7378871] Bug #48961: yaml [4.4-1 f8cb1f70fc] Bug #48961: yaml YAML -> OK
<http://errata.software-univention.de/ucs/4.4/195.html> <http://errata.software-univention.de/ucs/4.4/196.html>