[SECURITY] [DLA 1408-1] simplesamlphp security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1408-1] simplesamlphp security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Fri, 29 Jun 2018 23:05:32 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1806292302530.11919@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : simplesamlphp
Version        : 1.13.1-2+deb8u2
CVE ID         : CVE-2017-12868 CVE-2017-12872


CVE-2017-12872 / CVE-2017-12868

    The (1) Htpasswd authentication source in the authcrypt module and (2)
    SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow
    remote attackers to conduct timing side-channel attacks by leveraging
    use of the standard comparison operator to compare secret material
    against user input.

    CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the
    initial patch released by upstream. We have used the correct patch.


For Debian 8 "Jessie", these problems have been fixed in version
1.13.1-2+deb8u2.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJbNp8cXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHt/YP/AzBB6nGcpRJWraLor/sZuZu
9Xg2UpugDuY3Dc8pskHQS8jTDh6e/Rny45FOnvSOlG9rZWOEA4EkmEuVqEUmEb/S
gsxmYeqiMMKZLIujMc1v6aO4wL1cto/DaGSBDDoKSYEY8C//HwDRyBy9T3TADPcf
Jb40cNExpCeds2rm/vFrNnL9l/X4ZP0yZI45wpqEce/nbCtYOCgbIog91qrOVTJ6
fNdFNYXgDmzAUGmXnSTlRunOrfN4dujg5cnTxR4v4qErZnVpp01+zLWJYsBxTaNl
x5XotLVaapaVJyT7AZEDg4LoB/ZONW2ZPAHeoy2mX2bDVEBvjitP6ohsmwwKsj9d
7VFAxTguXmBgGwL0bCzySlZMMUsM5+UAnAUxAPr4yigwGLs2Ei5nudhd7FlN6Ggr
VhIshmRVwaQlx2JPjovKKD+8Mnz5qC8UEEPcqiLLzn/UoLEDhLDc0jz4UkOOci5t
dx750JTlVY6x6uI6AQ6vLw9/lTAf0tUjRgJn0gZwWR8impXy+BqLDFk4GnH2g+L8
ww/RAbs4ctA5SVtFjCJPQdnS7gePqctF6gqQw/wLb6u/zuhTpIu7UcIt0Ic8zFzD
ptMe1UrEGQ4cLvtl/d4NO2CtFV0zesZOYYzT9cEeoer2L0IakrkR1+2vkKdXZNjU
ynXvOBHibMD98EwzateT
=/3Ft
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1409-1] mosquitto security update
Previous by thread: [SECURITY] [DLA 1409-1] mosquitto security update
Index(es):
- Date
- Thread