Debian Security Advisory
DSA-4127-1 simplesamlphp -- security update
- Date Reported:
- 02 Mar 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 889286.
In Mitre's CVE dictionary: CVE-2017-12867, CVE-2017-12869, CVE-2017-12873, CVE-2017-12874, CVE-2017-18121, CVE-2017-18122, CVE-2018-6519, CVE-2018-6521, CVE-2018-7644.
- More information:
Several vulnerabilities have been discovered in SimpleSAMLphp, a framework for authentication, primarily via the SAML protocol.
Attackers with access to a secret token could extend its validity period by manipulating the prepended time offset.
When using the multiauth module, attackers can bypass authentication context restrictions and use any authentication source defined in the config.
Defensive measures have been taken to prevent the administrator from misconfiguring persistent NameIDs to avoid identifier clash. (Affects Debian 8 Jessie only.)
The InfoCard module could accept incorrectly signed XML messages in rare occasions.
The (deprecated) SAML 1.1 implementation would regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions was valid, allowing an attacker that could obtain a valid signed assertion from an IdP to impersonate users from that IdP.
Regular expression denial of service when parsing extraordinarily long timestamps.
Change sqlauth module MySQL charset from utf8 to utf8mb to prevent theoretical query truncation that could allow remote attackers to bypass intended access restrictions
Critical signature validation vulnerability.
For the oldstable distribution (jessie), these problems have been fixed in version 1.13.1-2+deb8u1.
For the stable distribution (stretch), these problems have been fixed in version 1.14.11-1+deb9u1.
We recommend that you upgrade your simplesamlphp packages.
For the detailed security status of simplesamlphp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/simplesamlphp