First Last Prev Next    This bug is not in your last search results.
Bug 46755 - simplesamlphp: Multiple Issues (4.1)
simplesamlphp: Multiple Issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
All Linux
: P5 critical (vote)
: UCS 4.1-5-errata
Assigned To: Arvid Requate
Erik Damrose
https://www.debian.org/security/2018/...
:
Depends on:
Blocks: 46480
  Show dependency treegraph
 
Reported: 2018-03-28 15:30 CEST by Arvid Requate
Modified: 2018-04-04 16:43 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NVD
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-03-28 15:30:59 CEST 
UCS-4.1 uses a version of simplesamlphp (1.13.2) that is close to the version maintained in Debian Jessie:


Upstream Debian package version 1.13.1-2+deb8u1 provides patches for:

CVE-2017-12867  5.9     The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
CVE-2017-12869  7.5     The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
CVE-2017-12873  9.8     SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-12874  7.5     The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
CVE-2017-18121  6.1     The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.
CVE-2017-18122  8.1     A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
CVE-2018-6519   7.5     The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
CVE-2018-6521   9.8     The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.

and

CVE-2018-7644 7.5 Critical signature validation vulnerability.
Comment 1 Arvid Requate univentionstaff 2018-03-28 15:39:08 CEST 
Package cherrypicked from UCS 4.1-0 to errata4.1-5.
Patches extracted from the Debian jessie source package and merged to the corresponding svn/patches directory.
Package built in errata4.1-5.

Advisory: simplesamlphp.yaml (text copied from Bug 46480 advisory).
Comment 2 Erik Damrose univentionstaff 2018-03-29 11:16:18 CEST 
OK: patches at simplesamlphp/4.1-0-0-ucs/1.13.2-1-errata4.1-5
OK: package build included patches
OK: yaml
OK: SSO Auth to UMC
Verified
Comment 3 Philipp Hahn univentionstaff 2018-04-04 16:43:59 CEST 
<http://errata.software-univention.de/ucs/4.1/501.html>
First Last Prev Next    This bug is not in your last search results.