Package : simplesamlphp Version : 1.9.2-1+deb7u1 CVE ID : CVE-2017-12867 CVE-2017-12868 CVE-2017-12869 CVE-2017-12872 CVE-2017-12873 CVE-2017-12874 The simplesamlphp package in wheezy is vulnerable to multiple attacks on authentication-related code, leading to unauthorized access and information disclosure. CVE-2017-12867 The SimpleSAML_Auth_TimeLimitedToken class allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. CVE-2017-12869 The multiauth module allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. CVE-2017-12872 / CVE-2017-12868 The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote iattackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the initial patch released by upstream. We have used the correct patch. CVE-2017-12873 SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. CVE-2017-12874 The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities. For Debian 7 "Wheezy", these problems have been fixed in version 1.9.2-1+deb7u1. We recommend that you upgrade your simplesamlphp packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Attachment:
signature.asc
Description: PGP signature