Debian Bug report logs -
#886423
python-pysaml2: CVE-2017-1000433: Access restriction bypass
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#886423; Package src:python-pysaml2.
(Fri, 05 Jan 2018 19:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 05 Jan 2018 19:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-pysaml2
Version: 2.0.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/rohe/pysaml2/issues/451
Hi,
the following vulnerability was published for python-pysaml2.
CVE-2017-1000433[0]:
| pysaml2 version 4.4.0 and older accept any password when run with
| python optimizations enabled. This allows attackers to log in as any
| user without knowing their password.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000433
[1] https://github.com/rohe/pysaml2/issues/451
[2] https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 20 Aug 2018 15:54:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 20 Aug 2018 15:54:19 GMT) (full text, mbox, link).
Message #10 received at 886423-close@bugs.debian.org (full text, mbox, reply):
Source: python-pysaml2
Source-Version: 4.5.0-1
We believe that the bug you reported is fixed in the latest version of
python-pysaml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 886423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pysaml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Aug 2018 16:47:23 +0200
Source: python-pysaml2
Binary: python-pysaml2 python-pysaml2-doc python3-pysaml2
Architecture: source all
Version: 4.5.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x
python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc
python3-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 3.x
Closes: 857848 859135 882012 886423
Changes:
python-pysaml2 (4.5.0-1) experimental; urgency=medium
.
[ Ondřej Nový ]
* d/control: Use team+openstack@tracker.debian.org as maintainer
.
[ Thomas Goirand ]
* New upstream release. (Closes: #857848, #882012, #886423, #859135).
* Refreshed/rebased all patches.
* Added python{3,}-defusedxml as (build-)depends.
* Add python{3,}-future as (buid-)depends.
Checksums-Sha1:
38649a71bf118dbfe74a6825863346a9b214ce9b 2898 python-pysaml2_4.5.0-1.dsc
37d0cb194b322f858836282130ddea2e7fd352de 2694552 python-pysaml2_4.5.0.orig.tar.xz
b2bafa6ca0ad6a4a9c0087ce1281be0f905aa5f3 9416 python-pysaml2_4.5.0-1.debian.tar.xz
0c60953fc8be4caa8bee761141ba3c8c541a134c 47768 python-pysaml2-doc_4.5.0-1_all.deb
74dfafdcc4d2cf57668d5b1d37b3cdf60425424e 201040 python-pysaml2_4.5.0-1_all.deb
f834baec9801a125bbe984086454e88d1d5ae190 12114 python-pysaml2_4.5.0-1_amd64.buildinfo
a49e103fb1e58409e612884b765b9b3f84f88706 201140 python3-pysaml2_4.5.0-1_all.deb
Checksums-Sha256:
b5645fdf88ec7d889409a6304eeeed5969835fac219ee1936368b143c69b55dc 2898 python-pysaml2_4.5.0-1.dsc
3e1a807fc82998883d8648624fabcda57a446a198e297c36a14e7969c4c2ddc1 2694552 python-pysaml2_4.5.0.orig.tar.xz
986b06d3b8df37dde68cb52eb4945fedde5b34c3c4138bc38fe0f106f3b686a0 9416 python-pysaml2_4.5.0-1.debian.tar.xz
694199b6f72128d095849b1fbc7d49ec43908ccbefa2ffd0bda7b052e1a42067 47768 python-pysaml2-doc_4.5.0-1_all.deb
c893411710c41a7ea0692093423cbabd1c51e4d1a8408c3af479b79834e9b95b 201040 python-pysaml2_4.5.0-1_all.deb
ad747746ca6f97f0fde306543f7ec6c511df11a6711f24e0a246a86782c6ea24 12114 python-pysaml2_4.5.0-1_amd64.buildinfo
8841ab76326105c20272c0e1fe62216c50b4069782d228996e239e987cca369e 201140 python3-pysaml2_4.5.0-1_all.deb
Files:
2a79d3b41d341526a2e80c0bd36efff4 2898 python optional python-pysaml2_4.5.0-1.dsc
87b88150b7507cce0d39c138aa09a31f 2694552 python optional python-pysaml2_4.5.0.orig.tar.xz
016cdf9f9699fd5248f445f7e9602ed4 9416 python optional python-pysaml2_4.5.0-1.debian.tar.xz
9568f9111e77ca2f22d90c0f04e88549 47768 doc optional python-pysaml2-doc_4.5.0-1_all.deb
4ef48b739d054b23f4b44778c9bd260e 201040 python optional python-pysaml2_4.5.0-1_all.deb
76b614f7695fcf731bf366e6c019ce51 12114 python optional python-pysaml2_4.5.0-1_amd64.buildinfo
86c95965f7e1bcd50f6e536553805ef4 201140 python optional python3-pysaml2_4.5.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlt623wACgkQq1PlA1ho
d6b5pA/9Gg5kUchWQlEqOljKs9moH1VexDjtwE2Zeq3Pz/IXSukD9OU165COTv8H
HfoL3ywpskT+IiurHWyijT5Yk3o017t8wuVnZ6hwEh6Gs+/Wa269162KegcwEXow
LUXhsmP0fDfIhe2zLg5uMZMR+9Nz6xYKKD/aPMhtGi1SIT+n4xwZKmhIgUDAIU6G
zkfoNam+5nUQnuTxIU3THqtGSuXTLtEJk6QoQgUckaD8myT3KQN+5XLFWog8MaAK
RKF6sE+am1taeZhqJJyUyxaJC4yL4kyBI4zOFC/hI4rGSay6Pzup7bdZ0L8XWimy
KD1VK67VMFR2cVDc1Js3QI9LLhcySzOtVTQFGv1xp5YC0xDweoIxwmtY46eGZH/P
3dWht0dGvqYZ0omQ80hY3ZcDpNq3AiZRUVOUEWGU4C5USrhxiy+P5upH6c3CIDMg
9P45s+oz5cZZs5/BFyGFEjLxKWgMeduqtVYZF6g8rhRARyfFRjaiafugnr+J9sFV
OAAoy7eEjIeVwm3P2S2PmlIifFsfQ3A0RLmrCe62coYZblufMoynZ473cz7mz5G7
KbFbftZ+AqDH/9bXP2MxpZNHaAVkMdFWChTKPwrR/UaNE/zYgsQYYl12fp01IF42
avFxlUlHbVsmTPh/ZWkCbyyjveFyAm/YuEZbpLkc2to4OayxZA4=
=JhFR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 18 Sep 2018 07:26:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon