Univention Bugzilla – Bug 52857
python-pysaml2: Multiple issues (4.4)
Last modified: 2021-03-17 14:00:03 CET
New Debian python-pysaml2 3.0.0-5+deb9u2A~4.4.7.202103010941 fixes: This update addresses the following issues: * Access restriction bypass (CVE-2017-1000433) * PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0. (CVE-2021-21239)
--- mirror/ftp/4.4/unmaintained/component/4.4-7-errata/source/python-pysaml2_3.0.0-5+deb9u1A~4.4.7.202012081556.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/python-pysaml2_3.0.0-5+deb9u2A~4.4.7.202103010941.dsc @@ -1,4 +1,4 @@ -3.0.0-5+deb9u1A~4.4.7.202012081556 [Tue, 08 Dec 2020 15:56:48 +0100] Univention builddaemon <buildd@univention.de>: +3.0.0-5+deb9u2A~4.4.7.202103010941 [Mon, 01 Mar 2021 09:45:47 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 002 @@ -7,6 +7,16 @@ 006-disable-writeback-for-shelve debhelper +3.0.0-5+deb9u2 [Tue, 02 Feb 2021 08:42:57 +1100] Brian May <bam@debian.org>: + + [ Brian May ] + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to on. + + [ Abhijith PA ] + * Fix CVE-2017-1000433 - bypass password with python optimizations + enabled + 3.0.0-5+deb9u1 [Wed, 19 Feb 2020 21:45:47 +0100] Moritz Mühlenhoff <jmm@debian.org>: * CVE-2020-5390 <http://10.200.17.11/4.4-7/#2545423272866835348>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 6e51164947 Bug #52857: python-pysaml2 3.0.0-5+deb9u2A~4.4.7.202103010941 doc/errata/staging/python-pysaml2.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
Reopen: 82_saml.27_renewed_idp_cert
Es ist dieser Patch python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch, vermutlich wichtig, wire sollten den Test und ggf die Doku anpassen. It is this patch python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch --- a/src/saml2/sigver.py +++ b/src/saml2/sigver.py @@ -896,6 +896,7 @@ class CryptoBackendXmlSec1(CryptoBackend com_list = [self.xmlsec, "--verify", "--pubkey-cert-%s" % cert_type, cert_file, + "--enabled-key-data", 'raw-x509-cert', "--id-attr:%s" % id_attr, node_name] if self.debug: that breaks our test. We should modify the the test. The test currently does not update /usr/share/univention-management-console/saml/idp/*.xml and restart univention-management-console-web-server. Doku https://help.univention.com/t/renewing-the-ssl-certificates/37 seems .
just added reload_idp_metadata() after renew_sso_cert() in 82_saml/27_renewed_idp_cert ucs-test - 793c8049d07ee7c1e28754293cbf37496f467876 4.4-7 ucs-test - d8821335b3352c61ad034a12e563ef1030724087 5.0-0
Failing test: - <https://git.knut.univention.de/univention/ucs/-/blob/4.4-7/test/ucs-test/tests/82_saml/27_renewed_idp_cert> Failing scenarios: - <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-7/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/82_saml/27_renewed_idp_cert/master090/> - <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-7/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/82_saml/27_renewed_idp_cert/master091/> Maybe <https://git.knut.univention.de/univention/ucs/-/commit/793c8049d07ee7c1e28754293cbf37496f467876> will fix it...
OK: UCS 4 + UCS 5 fix Verified: Fixed test by correctly reloading metadata.
<https://errata.software-univention.de/#/?erratum=4.4x918>