Debian Bug report logs -
#987608
shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
:
Bug#987608
; Package src:shibboleth-sp
.
(Mon, 26 Apr 2021 13:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ferenc Wágner <wferi@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
.
(Mon, 26 Apr 2021 13:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: shibboleth-sp
Version: 3.0.2+dfsg1-1
Severity: important
Tags: upstream patch security
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.
Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.
Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.
In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth4.xml (even if used for nothing)
will work around the vulnerability.
For example:
<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
This workaround is only possible after having updated the
core configuration to the V3 XML namespace.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt
Marked as found in versions shibboleth-sp/3.0.4+dfsg1-1+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 26 Apr 2021 15:21:23 GMT) (full text, mbox, link).
Marked as found in versions shibboleth-sp/3.0.4+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 26 Apr 2021 15:21:23 GMT) (full text, mbox, link).
Marked as found in versions shibboleth-sp/3.2.1+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 26 Apr 2021 15:21:24 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
:
Bug#987608
; Package src:shibboleth-sp
.
(Mon, 26 Apr 2021 19:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
.
(Mon, 26 Apr 2021 19:21:06 GMT) (full text, mbox, link).
Message #16 received at 987608@bugs.debian.org (full text, mbox, reply):
Hi Ferenc,
On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc Wágner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
>
> Shibboleth Service Provider Security Advisory [26 April 2021]
>
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
>
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
>
> This manifests as a crash in the shibd daemon/service process.
>
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
>
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
>
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
>
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth4.xml (even if used for nothing)
> will work around the vulnerability.
>
> For example:
>
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
>
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
>
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec
>
>
> URL for this Security Advisory:
> https://shibboleth.net/community/advisories/secadv_20210426.txt
Raising the severity to RC as I think this should go into bullseye and
the fix is targetted possible. Let me though know if you disagree on
this.
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 26 Apr 2021 19:21:08 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 26 Apr 2021 19:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
:
Bug#987608
; Package src:shibboleth-sp
.
(Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
.
(Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).
Message #25 received at 987608@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference
Hi,
On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc W??gner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
>
> Shibboleth Service Provider Security Advisory [26 April 2021]
>
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
>
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
>
> This manifests as a crash in the shibd daemon/service process.
>
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
>
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
>
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
>
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth4.xml (even if used for nothing)
> will work around the vulnerability.
>
> For example:
>
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
>
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
>
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec
MITRE has assigned CVE-2021-31826 for this issue.
Regards,
Salvatore
Changed Bug title to 'shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference' from 'shibboleth-sp: Session recovery feature contains a null pointer deference'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 987608-submit@bugs.debian.org
.
(Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
:
Bug#987608
; Package src:shibboleth-sp
.
(Tue, 27 Apr 2021 06:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to wferi@debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
.
(Tue, 27 Apr 2021 06:21:03 GMT) (full text, mbox, link).
Message #32 received at 987608@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> MITRE has assigned CVE-2021-31826 for this issue.
Thanks. I guess you don't want a new security upload for this, but I'll
certainly include it in the changelog of the unstable upload. (And in
the changelog of the next security upload, whenever that happens.)
--
Feri
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
:
Bug#987608
; Package src:shibboleth-sp
.
(Tue, 27 Apr 2021 06:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
.
(Tue, 27 Apr 2021 06:48:03 GMT) (full text, mbox, link).
Message #37 received at 987608@bugs.debian.org (full text, mbox, reply):
Hi
On Tue, Apr 27, 2021 at 08:16:52AM +0200, wferi@debian.org wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > MITRE has assigned CVE-2021-31826 for this issue.
>
> Thanks. I guess you don't want a new security upload for this, but I'll
> certainly include it in the changelog of the unstable upload. (And in
> the changelog of the next security upload, whenever that happens.)
Yes exactly, there is no need to reject the package and reupload with
the CVE identifier added, it is all enough how it is so far, we will
just add it the the DSA itself.
So all fine.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 27 08:07:46 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.