[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1205-1] simplesamlphp security update



Package        : simplesamlphp
Version        : 1.9.2-1+deb7u1
CVE ID         : CVE-2017-12867 CVE-2017-12868 CVE-2017-12869 CVE-2017-12872
                 CVE-2017-12873 CVE-2017-12874

The simplesamlphp package in wheezy is vulnerable to multiple attacks
on authentication-related code, leading to unauthorized access and
information disclosure.

CVE-2017-12867

    The SimpleSAML_Auth_TimeLimitedToken class allows attackers with
    access to a secret token to extend its validity period by manipulating
    the prepended time offset.

CVE-2017-12869

    The multiauth module allows remote attackers to bypass authentication
    context restrictions and use an authentication source defined in
    config/authsources.php via vectors related to improper validation of
    user input.

CVE-2017-12872 / CVE-2017-12868

    The (1) Htpasswd authentication source in the authcrypt module and (2)
    SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow
    remote iattackers to conduct timing side-channel attacks by leveraging
    use of the standard comparison operator to compare secret material
    against user input.

    CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the
    initial patch released by upstream. We have used the correct patch.

CVE-2017-12873

    SimpleSAMLphp might allow attackers to obtain sensitive information,
    gain unauthorized access, or have unspecified other impacts by
    leveraging incorrect persistent NameID generation when an Identity
    Provider (IdP) is misconfigured.

CVE-2017-12874

    The InfoCard module for SimpleSAMLphp allows attackers to spoof
    XML messages by leveraging an incorrect check of return values in
    signature validation utilities.


For Debian 7 "Wheezy", these problems have been fixed in version
1.9.2-1+deb7u1.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Attachment: signature.asc
Description: PGP signature


Reply to: