Debian Security Advisory

DLA-1205-1 simplesamlphp -- LTS security update

Date Reported:
12 Dec 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2017-12867, CVE-2017-12868, CVE-2017-12869, CVE-2017-12872, CVE-2017-12873, CVE-2017-12874.
More information:

The simplesamlphp package in wheezy is vulnerable to multiple attacks on authentication-related code, leading to unauthorized access and information disclosure.

  • CVE-2017-12867

    The SimpleSAML_Auth_TimeLimitedToken class allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

  • CVE-2017-12869

    The multiauth module allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.

  • CVE-2017-12872 / CVE-2017-12868

    The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote iattackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.

    CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the initial patch released by upstream. We have used the correct patch.

  • CVE-2017-12873

    SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

  • CVE-2017-12874

    The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.

For Debian 7 Wheezy, these problems have been fixed in version 1.9.2-1+deb7u1.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: