Debian Bug report logs -
#780383
libopensaml2-java: CVE-2015-1796
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 13 Mar 2015 07:30:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version libopensaml2-java/2.6.2-1
Fixed in version 2.6.2-1+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Fri, 13 Mar 2015 07:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 13 Mar 2015 07:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libopensaml2-java
Version: 2.6.2-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for libopensaml2-java. Note
that I don't know libopensaml2-java well enough, so could you assess
if this affeccts Debian as well, and if the severity is approriate (if
not please feel free to downgrade it). Information follows:
CVE-2015-1796[0]:
PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1796
[1] http://shibboleth.net/community/advisories/secadv_20150225.txt
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Fri, 13 Mar 2015 09:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 13 Mar 2015 09:45:11 GMT) (full text, mbox, link).
Message #10 received at 780383@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
Thank you for the report. Looking at the commit r1680 mentioned on the
security tracker I fail to see how it addresses the vulnerability
described. I suspect this is actually a vulnerability in a dependency
shared by opensaml and idp (maybe xmltooling which contains the
PKIXValidationInformationResolver class, or shib-common with a recent
commit referring to the same SIDP-624 issue [1]).
Emmanuel Bourg
[1]
http://svn.shibboleth.net/view/java-shib-common?view=revision&revision=1125
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Fri, 13 Mar 2015 15:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 13 Mar 2015 15:33:04 GMT) (full text, mbox, link).
Message #15 received at 780383@bugs.debian.org (full text, mbox, reply):
Hi Emmanuel,
Thanks for the quick feedback.
On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote:
> Hi Salvatore,
>
> Thank you for the report. Looking at the commit r1680 mentioned on the
> security tracker I fail to see how it addresses the vulnerability
> described. I suspect this is actually a vulnerability in a dependency
> shared by opensaml and idp (maybe xmltooling which contains the
> PKIXValidationInformationResolver class, or shib-common with a recent
> commit referring to the same SIDP-624 issue [1]).
Note the commit reference was added by me, while searching to isolate
were the problem lies, i.e. searching for relevant commits between tag
2.6.4 and 2.6.5. I don't understand though libopensaml2-java well
enough. Upstream advisory just say:
Affected Versions
=================
Versions of OpenSAML Java < 2.6.5
[...]
OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX
trust engines are in use. PKIX trust engine implementations in this
version will fail a candidate credential if no trusted names are
resolved for the relevant entityID; the existing PKIX resolver
implementations now also automatically treat the target entityID as an
implicit trusted name. If this is not feasible, ensure that ALL entity
data resolved via instances of PKIXValidationInformationResolver have
at least 1 trusted name which is resolveable. For resolvers based on
SAML metadata, see IdP recommendations below.
[...]
https://bugzilla.redhat.com/show_bug.cgi?id=1196619
and
https://bugzilla.novell.com/show_bug.cgi?id=922199
both don't give much more information.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Fri, 10 Apr 2015 05:48:10 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Apr 2015 05:48:10 GMT) (full text, mbox, link).
Message #20 received at 780383@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, 13 Mar 2015 16:31:02 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi Emmanuel,
>
> Thanks for the quick feedback.
>
> On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote:
> > Hi Salvatore,
> >
> > Thank you for the report. Looking at the commit r1680 mentioned on the
> > security tracker I fail to see how it addresses the vulnerability
> > described. I suspect this is actually a vulnerability in a dependency
> > shared by opensaml and idp (maybe xmltooling which contains the
> > PKIXValidationInformationResolver class, or shib-common with a recent
> > commit referring to the same SIDP-624 issue [1]).
>
> Note the commit reference was added by me, while searching to isolate
> were the problem lies, i.e. searching for relevant commits between tag
> 2.6.4 and 2.6.5. I don't understand though libopensaml2-java well
> enough. Upstream advisory just say:
>
> Affected Versions
> =================
>
> Versions of OpenSAML Java < 2.6.5
> [...]
> OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX
> trust engines are in use. PKIX trust engine implementations in this
> version will fail a candidate credential if no trusted names are
> resolved for the relevant entityID; the existing PKIX resolver
> implementations now also automatically treat the target entityID as an
> implicit trusted name. If this is not feasible, ensure that ALL entity
> data resolved via instances of PKIXValidationInformationResolver have
> at least 1 trusted name which is resolveable. For resolvers based on
> SAML metadata, see IdP recommendations below.
> [...]
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1196619
>
> and
>
> https://bugzilla.novell.com/show_bug.cgi?id=922199
>
> both don't give much more information.
I agree with Emmanuel in that I don't see how the change in 2.6.5
addresses the reported vulnerability.
But I also don't understand the code well enough to say for sure what we
should cherry-pick, but ignoring the timer change in 2.6.5, the only
really substantive change I see between 2.6.2 and 2.6.5 came in 2.6.3:
> http://svn.shibboleth.net/view/java-opensaml2?view=revision&revision=1670
Perhaps the following verbiage is related to the CVE, and the suggestion
to upgrade to > 2.6.4 isn't as constrained or precise as it could be?
> https://wiki.shibboleth.net/confluence/display/SHIB2/PKIXTrustEngine#PKIXTrustEngine-KnownIssues
In any event, the changes between 2.6.2 and 2.6.5 don't seem that
extensive. Should we prepare a 2.6.5 package and ask the Security and
Release teams for guidance?
Cheers,
tony
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Thu, 07 May 2015 05:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 07 May 2015 05:57:05 GMT) (full text, mbox, link).
Message #25 received at 780383@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
An update on this... I'm in the midst of packaging 2.6.5, but it in
turn requires an update to libxmltooling-java to version 1.4.4, which I
am working on now.
Cheers,
tony
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Sat, 09 May 2015 15:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to 780383@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sat, 09 May 2015 15:39:05 GMT) (full text, mbox, link).
Message #30 received at 780383@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 05/06/2015 10:54 PM, tony mancill wrote:
> An update on this... I'm in the midst of packaging 2.6.5, but it in
> turn requires an update to libxmltooling-java to version 1.4.4, which I
> am working on now.
In an email exchange with Scott Cantor, who works on this family of
libraries upstream, he stated that the v2 libraries will be EOL this
summer, and that he would advise not to ship them in a release unless
Debian will maintain them.
Based upon that information, the low popcon, and the fact that this
cluster of packages appear to be leaf packages (I can't find r-deps for
them):
libopenws-java
libshib-common-java
libopensaml2-java
libshib-parent-project2-java
I'm not going to take action to prevent the automated removal from
testing and am considering requesting that the packages be removed from
the archive. If people are using these libraries and can make a case
for them being available in Debian, please speak up.
Cheers,
tony
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#780383
; Package src:libopensaml2-java
.
(Mon, 29 Jun 2015 08:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 29 Jun 2015 08:36:06 GMT) (full text, mbox, link).
Message #35 received at 780383@bugs.debian.org (full text, mbox, reply):
On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote:
> On 05/06/2015 10:54 PM, tony mancill wrote:
> > An update on this... I'm in the midst of packaging 2.6.5, but it in
> > turn requires an update to libxmltooling-java to version 1.4.4, which I
> > am working on now.
>
> In an email exchange with Scott Cantor, who works on this family of
> libraries upstream, he stated that the v2 libraries will be EOL this
> summer, and that he would advise not to ship them in a release unless
> Debian will maintain them.
>
> Based upon that information, the low popcon, and the fact that this
> cluster of packages appear to be leaf packages (I can't find r-deps for
> them):
>
> libopenws-java
> libshib-common-java
> libopensaml2-java
> libshib-parent-project2-java
>
> I'm not going to take action to prevent the automated removal from
> testing and am considering requesting that the packages be removed from
> the archive. If people are using these libraries and can make a case
> for them being available in Debian, please speak up.
Since noone objected and since they're already dropped from testing
for three weeks now, I'll also request removal from unstable now.
Cheers,
Moritz
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>
:
You have taken responsibility.
(Sun, 05 Jul 2015 17:09:43 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 05 Jul 2015 17:09:43 GMT) (full text, mbox, link).
Message #40 received at 780383-done@bugs.debian.org (full text, mbox, reply):
Version: 2.6.2-1+rm
Dear submitter,
as the package libopensaml2-java has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/791495
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 05 Dec 2016 11:12:24 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org
.
(Wed, 07 Dec 2016 01:40:00 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 18 Jun 2017 07:38:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.