[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1297-1] simplesamlphp security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : simplesamlphp
Version        : 1.9.2-1+deb7u3
CVE ID         : CVE-2016-9814 CVE-2016-9955

Several vulnerabilities have been discovered in SimpleSAMLphp, a
framework for authentication, primarily via the SAML protocol.

CVE-2016-9814 & CVE-2016-9955

    An incorrect check of return values in the signature validation
    utilities allowed an attacker to get invalid signatures accepted
    as valid in the rare case of an error occurring during validation.

SSPSA-201802-01 (no CVE yet)

    Critical signature validation vulnerability.

In addition this update adds a patch to solve excessive resource
consumption in case of SimpleSAMLphp processing a large metadata file.

For Debian 7 "Wheezy", these problems have been fixed in version
1.9.2-1+deb7u3.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQEuBAEBCAAYBQJamTFMERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawEC3MH
/RkG066eiEO7JiDVkCHXuOCLFiBmdBoURfgNuWiNYoA2hb/7FKsV0OnmN0cutWm/
njXbEuhsK61MtxP8qDGWajciZ/dmlHMTH2T4bTxH7VDpM40R7bjMTIivYM8l72ju
33LH3lbNv3+wwlHlJxMxC2ML8ICeHZ0F/RE11Ef9Bvjdanu8OB0G/NHicMT33hOV
dW/k3aTkKEnD2Q6VbIBEWOmhBym4XRxA6WLaKL+tU2Bc4TqXGNshFaSIn7rhlSG/
Nt3qw2aR8pwb1bRT3Cblz5i85c9tjWz3fAPKiM8VQlEvfegk72HhQnLDHq80QQ/f
njSzy1lVBcGhPk7eClzpv1Y=
=Yy5L
-----END PGP SIGNATURE-----


Reply to: