libopensaml2-java: CVE-2015-1796

Debian Bug report logs - #780383
libopensaml2-java: CVE-2015-1796

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libopensaml2-java: CVE-2015-1796

Date: Fri, 13 Mar 2015 08:23:16 +0100

Source: libopensaml2-java
Version: 2.6.2-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for libopensaml2-java. Note
that I don't know libopensaml2-java well enough, so could you assess
if this affeccts Debian as well, and if the severity is approriate (if
not please feel free to downgrade it). Information follows:

CVE-2015-1796[0]:
PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-1796
[1] http://shibboleth.net/community/advisories/secadv_20150225.txt

Regards,
Salvatore

Message #10 received at 780383@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 780383@bugs.debian.org

Subject: Re: Bug#780383: libopensaml2-java: CVE-2015-1796

Date: Fri, 13 Mar 2015 10:42:41 +0100

Hi Salvatore,

Thank you for the report. Looking at the commit r1680 mentioned on the
security tracker I fail to see how it addresses the vulnerability
described. I suspect this is actually a vulnerability in a dependency
shared by opensaml and idp (maybe xmltooling which contains the
PKIXValidationInformationResolver class, or shib-common with a recent
commit referring to the same SIDP-624 issue [1]).

Emmanuel Bourg

[1]
http://svn.shibboleth.net/view/java-shib-common?view=revision&revision=1125

Message #15 received at 780383@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: 780383@bugs.debian.org

Subject: Re: Bug#780383: libopensaml2-java: CVE-2015-1796

Date: Fri, 13 Mar 2015 16:31:02 +0100

Hi Emmanuel,

Thanks for the quick feedback.

On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote:
> Hi Salvatore,
> 
> Thank you for the report. Looking at the commit r1680 mentioned on the
> security tracker I fail to see how it addresses the vulnerability
> described. I suspect this is actually a vulnerability in a dependency
> shared by opensaml and idp (maybe xmltooling which contains the
> PKIXValidationInformationResolver class, or shib-common with a recent
> commit referring to the same SIDP-624 issue [1]).

Note the commit reference was added by me, while searching to isolate
were the problem lies, i.e. searching for relevant commits between tag
2.6.4 and 2.6.5. I don't understand though libopensaml2-java well
enough. Upstream advisory just say:

Affected Versions
=================

Versions of OpenSAML Java < 2.6.5
[...]
OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX
trust engines are in use. PKIX trust engine implementations in this
version will fail a candidate credential if no trusted names are
resolved for the relevant entityID; the existing PKIX resolver
implementations now also automatically treat the target entityID as an
implicit trusted name. If this is not feasible, ensure that ALL entity
data resolved via instances of PKIXValidationInformationResolver have
at least 1 trusted name which is resolveable. For resolvers based on
SAML metadata, see IdP recommendations below.
[...]

https://bugzilla.redhat.com/show_bug.cgi?id=1196619

and

https://bugzilla.novell.com/show_bug.cgi?id=922199

both don't give much more information.

Regards,
Salvatore

Message #20 received at 780383@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 780383@bugs.debian.org

Subject: Re: Bug#780383: libopensaml2-java: CVE-2015-1796

Date: Thu, 09 Apr 2015 22:44:20 -0700

[Message part 1 (text/plain, inline)]

On Fri, 13 Mar 2015 16:31:02 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi Emmanuel,
> 
> Thanks for the quick feedback.
> 
> On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote:
> > Hi Salvatore,
> > 
> > Thank you for the report. Looking at the commit r1680 mentioned on the
> > security tracker I fail to see how it addresses the vulnerability
> > described. I suspect this is actually a vulnerability in a dependency
> > shared by opensaml and idp (maybe xmltooling which contains the
> > PKIXValidationInformationResolver class, or shib-common with a recent
> > commit referring to the same SIDP-624 issue [1]).
> 
> Note the commit reference was added by me, while searching to isolate
> were the problem lies, i.e. searching for relevant commits between tag
> 2.6.4 and 2.6.5. I don't understand though libopensaml2-java well
> enough. Upstream advisory just say:
> 
> Affected Versions
> =================
> 
> Versions of OpenSAML Java < 2.6.5
> [...]
> OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX
> trust engines are in use. PKIX trust engine implementations in this
> version will fail a candidate credential if no trusted names are
> resolved for the relevant entityID; the existing PKIX resolver
> implementations now also automatically treat the target entityID as an
> implicit trusted name. If this is not feasible, ensure that ALL entity
> data resolved via instances of PKIXValidationInformationResolver have
> at least 1 trusted name which is resolveable. For resolvers based on
> SAML metadata, see IdP recommendations below.
> [...]
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1196619
> 
> and
> 
> https://bugzilla.novell.com/show_bug.cgi?id=922199
> 
> both don't give much more information.

I agree with Emmanuel in that I don't see how the change in 2.6.5
addresses the reported vulnerability.

But I also don't understand the code well enough to say for sure what we
should cherry-pick, but ignoring the timer change in 2.6.5, the only
really substantive change I see between 2.6.2 and 2.6.5 came in 2.6.3:

> http://svn.shibboleth.net/view/java-opensaml2?view=revision&revision=1670

Perhaps the following verbiage is related to the CVE, and the suggestion
to upgrade to > 2.6.4 isn't as constrained or precise as it could be?

> https://wiki.shibboleth.net/confluence/display/SHIB2/PKIXTrustEngine#PKIXTrustEngine-KnownIssues

In any event, the changes between 2.6.2 and 2.6.5 don't seem that
extensive.  Should we prepare a 2.6.5 package and ask the Security and
Release teams for guidance?

Cheers,
tony

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 780383@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 780383@bugs.debian.org

Subject: Re: Bug#780383: libopensaml2-java: CVE-2015-1796

Date: Wed, 06 May 2015 22:54:18 -0700

[Message part 1 (text/plain, inline)]

An update on this...  I'm in the midst of packaging 2.6.5, but it in
turn requires an update to libxmltooling-java to version 1.4.4, which I
am working on now.

Cheers,
tony

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 780383@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 780383@bugs.debian.org

Subject: Re: Bug#780383: libopensaml2-java: CVE-2015-1796

Date: Sat, 09 May 2015 08:35:13 -0700

[Message part 1 (text/plain, inline)]

On 05/06/2015 10:54 PM, tony mancill wrote:
> An update on this...  I'm in the midst of packaging 2.6.5, but it in
> turn requires an update to libxmltooling-java to version 1.4.4, which I
> am working on now.

In an email exchange with Scott Cantor, who works on this family of
libraries upstream, he stated that the v2 libraries will be EOL this
summer, and that he would advise not to ship them in a release unless
Debian will maintain them.

Based upon that information, the low popcon, and the fact that this
cluster of packages appear to be leaf packages (I can't find r-deps for
them):

 libopenws-java
 libshib-common-java
 libopensaml2-java
 libshib-parent-project2-java

I'm not going to take action to prevent the automated removal from
testing and am considering requesting that the packages be removed from
the archive.  If people are using these libraries and can make a case
for them being available in Debian, please speak up.

Cheers,
tony

[signature.asc (application/pgp-signature, attachment)]

Message #35 received at 780383@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 780383@bugs.debian.org

Subject: Re: Bug#780383: libopensaml2-java: CVE-2015-1796

Date: Mon, 29 Jun 2015 10:25:33 +0200

On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote:
> On 05/06/2015 10:54 PM, tony mancill wrote:
> > An update on this...  I'm in the midst of packaging 2.6.5, but it in
> > turn requires an update to libxmltooling-java to version 1.4.4, which I
> > am working on now.
> 
> In an email exchange with Scott Cantor, who works on this family of
> libraries upstream, he stated that the v2 libraries will be EOL this
> summer, and that he would advise not to ship them in a release unless
> Debian will maintain them.
> 
> Based upon that information, the low popcon, and the fact that this
> cluster of packages appear to be leaf packages (I can't find r-deps for
> them):
> 
>  libopenws-java
>  libshib-common-java
>  libopensaml2-java
>  libshib-parent-project2-java
> 
> I'm not going to take action to prevent the automated removal from
> testing and am considering requesting that the packages be removed from
> the archive.  If people are using these libraries and can make a case
> for them being available in Debian, please speak up.

Since noone objected and since they're already dropped from testing
for three weeks now, I'll also request removal from unstable now.

Cheers,
        Moritz

Message #40 received at 780383-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 780383-done@bugs.debian.org,

Cc: libopensaml2-java@packages.debian.org, libopensaml2-java@packages.qa.debian.org

Subject: Bug#791495: Removed package(s) from unstable

Date: Sun, 05 Jul 2015 17:08:30 +0000

Version: 2.6.2-1+rm

Dear submitter,

as the package libopensaml2-java has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/791495

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.