Univention Bugzilla – Bug 46755
simplesamlphp: Multiple Issues (4.1)
Last modified: 2018-04-04 16:43:59 CEST
UCS-4.1 uses a version of simplesamlphp (1.13.2) that is close to the version maintained in Debian Jessie: Upstream Debian package version 1.13.1-2+deb8u1 provides patches for: CVE-2017-12867 5.9 The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. CVE-2017-12869 7.5 The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. CVE-2017-12873 9.8 SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. CVE-2017-12874 7.5 The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities. CVE-2017-18121 6.1 The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser. CVE-2017-18122 8.1 A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP. CVE-2018-6519 7.5 The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp. CVE-2018-6521 9.8 The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions. and CVE-2018-7644 7.5 Critical signature validation vulnerability.
Package cherrypicked from UCS 4.1-0 to errata4.1-5. Patches extracted from the Debian jessie source package and merged to the corresponding svn/patches directory. Package built in errata4.1-5. Advisory: simplesamlphp.yaml (text copied from Bug 46480 advisory).
OK: patches at simplesamlphp/4.1-0-0-ucs/1.13.2-1-errata4.1-5 OK: package build included patches OK: yaml OK: SSO Auth to UMC Verified
<http://errata.software-univention.de/ucs/4.1/501.html>