Debian Bug report logs -
#889286
simplesamlphp: CVE-2017-18121 CVE-2017-18122
Reported by: Abhijith PA <abhijith@disroot.org>
Date: Sat, 3 Feb 2018 10:57:03 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version simplesamlphp/1.13.1-1
Fixed in versions simplesamlphp/1.15.0-1, simplesamlphp/1.14.11-1+deb9u1, simplesamlphp/1.13.1-2+deb8u1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#889286; Package simplesamlphp.
(Sat, 03 Feb 2018 10:57:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Abhijith PA <abhijith@disroot.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Thijs Kinkhorst <thijs@debian.org>.
(Sat, 03 Feb 2018 10:57:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: simplesamlphp
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
the following vulnerabilities were published for simplesamlphp.
CVE-2017-18121[0]:
| The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable
| to a Cross-Site Scripting attack, allowing an attacker to craft links
| that could execute arbitrary JavaScript code on the victim's web
| browser.
CVE-2017-18122[1]:
| A signature-validation bypass issue was discovered in SimpleSAMLphp
| through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will
| regard as valid any unsigned SAML response containing more than one
| signed assertion, provided that the signature of at least one of the
| assertions is valid. Attributes contained in all the assertions
| received will be merged and the entityID of the first assertion
| received will be used, allowing an attacker to impersonate any user of
| any IdP given an assertion signed by the targeted IdP.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-18121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121
[1] https://security-tracker.debian.org/tracker/CVE-2017-18122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122
Please adjust the affected versions in the BTS as needed.
Changed Bug title to 'simplesamlphp: CVE-2017-18121 CVE-2017-18122' from 'simplesamlphp: CVE-2017-18121: CVE-2017-18122'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 Feb 2018 13:51:09 GMT) (full text, mbox, link).
Marked as found in versions simplesamlphp/1.13.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 Feb 2018 13:51:10 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 Feb 2018 13:51:10 GMT) (full text, mbox, link).
Marked as fixed in versions simplesamlphp/1.15.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 Feb 2018 13:51:11 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 Feb 2018 13:51:12 GMT) (full text, mbox, link).
Notification sent
to Abhijith PA <abhijith@disroot.org>:
Bug acknowledged by developer.
(Sat, 03 Feb 2018 13:51:13 GMT) (full text, mbox, link).
Message sent on
to Abhijith PA <abhijith@disroot.org>:
Bug#889286.
(Sat, 03 Feb 2018 13:51:20 GMT) (full text, mbox, link).
Message #20 received at 889286-submitter@bugs.debian.org (full text, mbox, reply):
# slightly retitle so that only one : between source package name and CVE list
retitle 889286 simplesamlphp: CVE-2017-18121 CVE-2017-18122
# found in earlier versions
found 889286 1.13.1-1
# and fixed upstream with ...
tags 889286 + upstream fixed-upstream
# v1.14.16 and v1.14.17 and included in 1.15.0-1
close 889286 1.15.0-1
thanks
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Fri, 02 Mar 2018 22:51:38 GMT) (full text, mbox, link).
Notification sent
to Abhijith PA <abhijith@disroot.org>:
Bug acknowledged by developer.
(Fri, 02 Mar 2018 22:51:38 GMT) (full text, mbox, link).
Message #25 received at 889286-close@bugs.debian.org (full text, mbox, reply):
Source: simplesamlphp
Source-Version: 1.14.11-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
simplesamlphp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889286@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated simplesamlphp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 01 Mar 2018 20:16:49 +0100
Source: simplesamlphp
Binary: simplesamlphp
Architecture: source all
Version: 1.14.11-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
simplesamlphp - Authentication and federation application supporting several prot
Closes: 889286
Changes:
simplesamlphp (1.14.11-1+deb9u1) stretch-security; urgency=high
.
* Update by the security team for stretch.
CVE-2017-12867 CVE-2017-12869
CVE-2017-12874 CVE-2017-18121 CVE-2017-18122
CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01
(closes: #889286).
Checksums-Sha1:
3543cf43528ed102ddaa806ffceffb1f3887cae4 1583 simplesamlphp_1.14.11-1+deb9u1.dsc
38839fda2266784282fb25249004df190be948ce 2462442 simplesamlphp_1.14.11.orig.tar.gz
d1f847192a4903a0b298b7bc0dae5ca6b49b7b2a 2310032 simplesamlphp_1.14.11-1+deb9u1.debian.tar.xz
f4dc5a8a3a2d2306a17add8bca20f02919e38f19 1635186 simplesamlphp_1.14.11-1+deb9u1_all.deb
87eb77fc7870771a559b83c73bb4483030d5944f 6057 simplesamlphp_1.14.11-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
6be4d2b2e4d33f9fcd1be74b4b10274506e728133483579c0ff0577a9fc16cac 1583 simplesamlphp_1.14.11-1+deb9u1.dsc
4899cae8e66967ad9fbf8dd0efe605b3a7c0f7a7c2c7a09e61470d623ca3a878 2462442 simplesamlphp_1.14.11.orig.tar.gz
7112d71c2e2f77c3c3583b136bedc96f9c543459a7186f29834e39ddea357bf4 2310032 simplesamlphp_1.14.11-1+deb9u1.debian.tar.xz
50ad882b99255dd857302204b5308e415e0e9a7ca6e664ca0a5679f048ec9f36 1635186 simplesamlphp_1.14.11-1+deb9u1_all.deb
ea7d20fcebfd9fbb594fc6b36e8b358cd9acdb0603187198a6eb5db0918d7cd4 6057 simplesamlphp_1.14.11-1+deb9u1_amd64.buildinfo
Files:
5b19aa14972a0e5607bb00224e4f15c0 1583 web extra simplesamlphp_1.14.11-1+deb9u1.dsc
dde5923967ed0412997bf449898e1c86 2462442 web extra simplesamlphp_1.14.11.orig.tar.gz
b357025fdb3e6f57db7944196214063d 2310032 web extra simplesamlphp_1.14.11-1+deb9u1.debian.tar.xz
828dad06bd9503a73aa4eea9abd23d9e 1635186 web extra simplesamlphp_1.14.11-1+deb9u1_all.deb
190ab21aeac8f5aba7977a324d37024c 6057 web extra simplesamlphp_1.14.11-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEuBAEBCAAYBQJamFY6ERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawEdvQI
AI2v8Lq/i+3ioz7vpXpekvG8vocCmGMjxbatJccp5TbzlPtSrg8C6nEMhed/TQck
LKkclwwOEZZjicOwzrC2F5u/g64uTa73E9eUO7gv4ylgz+HoDiOncRvxLGm6QxPV
uiIDHwUQyQ6E/BPF+LcNQXjEpC3d3PtlmU6nS78pPUD0IeOUofhKajQs4wrtpjV+
tMdj53fHOBcBIzoC6z8tGTxx1Y4YaTAWS45X3rPHWu9lQcoQp9nhRJUbnCGvEQHl
+f/l8e8LZZ3GAejBEDkb321B4lhNIztx2LX4uooSR9+ZpesopBlYwmPr7/9hvQJ8
5XNRp2fMpvEcW/bp82tpra8=
=qT73
-----END PGP SIGNATURE-----
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sat, 10 Mar 2018 23:21:24 GMT) (full text, mbox, link).
Notification sent
to Abhijith PA <abhijith@disroot.org>:
Bug acknowledged by developer.
(Sat, 10 Mar 2018 23:21:24 GMT) (full text, mbox, link).
Message #30 received at 889286-close@bugs.debian.org (full text, mbox, reply):
Source: simplesamlphp
Source-Version: 1.13.1-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
simplesamlphp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889286@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated simplesamlphp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 01 Mar 2018 15:55:01 +0100
Source: simplesamlphp
Binary: simplesamlphp
Architecture: source all
Version: 1.13.1-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
simplesamlphp - Authentication and federation application supporting several prot
Closes: 889286
Changes:
simplesamlphp (1.13.1-2+deb8u1) jessie-security; urgency=high
.
* Update by the security team for jessie.
CVE-2017-12867 CVE-2017-12869 CVE-2017-12873
CVE-2017-12874 CVE-2017-18121 CVE-2017-18122
CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01
(closes: #889286).
Checksums-Sha1:
961ac007d548f7e626bc63db99a6d7dc1ba12eb4 1595 simplesamlphp_1.13.1-2+deb8u1.dsc
23d83ed52be2d3ed94ddb31a711df465d42baa71 2303426 simplesamlphp_1.13.1.orig.tar.gz
e046f890e95e170ebfc7a5281caf868f2c620498 10676 simplesamlphp_1.13.1-2+deb8u1.debian.tar.xz
e3f350a6dbad75581a62513f1fb97fc8c0768ab1 1560998 simplesamlphp_1.13.1-2+deb8u1_all.deb
Checksums-Sha256:
e825d4ec237e734057c9a5333f7eb5c5cae975f1210548ec8d0af6146470631a 1595 simplesamlphp_1.13.1-2+deb8u1.dsc
f8c22ada724b4628257f7415a397f9b0bb2ffd5d036380c5bff6830a33bb613f 2303426 simplesamlphp_1.13.1.orig.tar.gz
15c203180a69b922fdf15b091d8016f3c163b3d14d5c9a2e53620f39861f57a1 10676 simplesamlphp_1.13.1-2+deb8u1.debian.tar.xz
cb19a54faba08be248def8ef3d28fcc9b09f29ecb89fb1aef373c464b7b6744e 1560998 simplesamlphp_1.13.1-2+deb8u1_all.deb
Files:
52629dac7ae5ecb6c0534154d7e19d3d 1595 web extra simplesamlphp_1.13.1-2+deb8u1.dsc
ceda3ee3b084d3bef3d25a99de9a8e80 2303426 web extra simplesamlphp_1.13.1.orig.tar.gz
c22d3b3bba59f2ea92b88115986d10ab 10676 web extra simplesamlphp_1.13.1-2+deb8u1.debian.tar.xz
1ee42833313099cd322dc7ac97949507 1560998 web extra simplesamlphp_1.13.1-2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQEuBAEBCAAYBQJamE72ERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawEIm0I
AKwO60yVJnLlKX+PG7FgrMYw286brUmMUHP6MqKg0vXYtPc4CD5dfOtZXrOpb2Xo
lz9sScHxJDPMR2TvXm/qY1neYRk1v2geA+yYTqklQDD05jFb6WLe5oOtr/pwFON0
d5SSHeQedo0gFjkEhxRCtTOKysLXqxP/vsnTSSpAr7DrKF1WNdQYIbcCRSVAUPhd
egF1kADkblHKaG/lDuvG3AJZHYgKU2py0RpS3zuqevnPa7oyCyZHS3SrW0A3DtgY
3M9KmkZ/RcNm7qdj6sR/fgX5gXYbnOsOQ8AUuk+Hus1/ODqwf92gTlrf9l19u8Cq
uXKs+UB6FRrCNmZPvh6D0uc=
=lejY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Apr 2018 07:36:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:12:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon