[SECURITY] [DLA 1408-1] simplesamlphp security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : simplesamlphp
Version : 1.13.1-2+deb8u2
CVE ID : CVE-2017-12868 CVE-2017-12872
CVE-2017-12872 / CVE-2017-12868
The (1) Htpasswd authentication source in the authcrypt module and (2)
SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow
remote attackers to conduct timing side-channel attacks by leveraging
use of the standard comparison operator to compare secret material
against user input.
CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the
initial patch released by upstream. We have used the correct patch.
For Debian 8 "Jessie", these problems have been fixed in version
1.13.1-2+deb8u2.
We recommend that you upgrade your simplesamlphp packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQJ8BAEBCgBmBQJbNp8cXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHt/YP/AzBB6nGcpRJWraLor/sZuZu
9Xg2UpugDuY3Dc8pskHQS8jTDh6e/Rny45FOnvSOlG9rZWOEA4EkmEuVqEUmEb/S
gsxmYeqiMMKZLIujMc1v6aO4wL1cto/DaGSBDDoKSYEY8C//HwDRyBy9T3TADPcf
Jb40cNExpCeds2rm/vFrNnL9l/X4ZP0yZI45wpqEce/nbCtYOCgbIog91qrOVTJ6
fNdFNYXgDmzAUGmXnSTlRunOrfN4dujg5cnTxR4v4qErZnVpp01+zLWJYsBxTaNl
x5XotLVaapaVJyT7AZEDg4LoB/ZONW2ZPAHeoy2mX2bDVEBvjitP6ohsmwwKsj9d
7VFAxTguXmBgGwL0bCzySlZMMUsM5+UAnAUxAPr4yigwGLs2Ei5nudhd7FlN6Ggr
VhIshmRVwaQlx2JPjovKKD+8Mnz5qC8UEEPcqiLLzn/UoLEDhLDc0jz4UkOOci5t
dx750JTlVY6x6uI6AQ6vLw9/lTAf0tUjRgJn0gZwWR8impXy+BqLDFk4GnH2g+L8
ww/RAbs4ctA5SVtFjCJPQdnS7gePqctF6gqQw/wLb6u/zuhTpIu7UcIt0Ic8zFzD
ptMe1UrEGQ4cLvtl/d4NO2CtFV0zesZOYYzT9cEeoer2L0IakrkR1+2vkKdXZNjU
ynXvOBHibMD98EwzateT
=/3Ft
-----END PGP SIGNATURE-----
Reply to: