[Secure-testing-commits] r54772 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Tue Aug 15 19:28:02 UTC 2017


Author: carnil
Date: 2017-08-15 19:28:02 +0000 (Tue, 15 Aug 2017)
New Revision: 54772

Modified:
   data/CVE/list
Log:
Add simplesamlphp issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-08-15 19:11:51 UTC (rev 54771)
+++ data/CVE/list	2017-08-15 19:28:02 UTC (rev 54772)
@@ -1,3 +1,31 @@
+CVE-2017-12874 [Incorrect signature verification]
+	- simplesamlphp <unfixed>
+	NOTE: Issue lies in simplesamlphp/simplesamlphp-module-infocard and fixed
+	NOTE: in 1.0.1. The module is embedded in src:simplesamlphp
+	NOTE: https://simplesamlphp.org/security/201612-03
+	TODO: check
+CVE-2017-12873 [Incorrect persistent NameID generation]
+	- simplesamlphp 1.14.15-1
+	NOTE: https://simplesamlphp.org/security/201612-04
+CVE-2017-12872 [Multiple timing side-channel issues]
+	- simplesamlphp 1.14.15-1
+	NOTE: https://simplesamlphp.org/security/201703-01
+CVE-2017-12871 [Incorrect IV generation for encryption]
+	- simplesamlphp 1.14.15-1
+	[jessie] - simplesamlphp <not-affected> (Vulnerable code not present)
+	NOTE: https://simplesamlphp.org/security/201703-02
+CVE-2017-12870 [Unauthenticated encryption in CBC mode]
+	- simplesamlphp 1.14.15-1
+	NOTE: https://simplesamlphp.org/security/201704-01
+CVE-2017-12869 [Authentication context bypass in the multiauth module]
+	- simplesamlphp 1.14.15-1
+	NOTE: https://simplesamlphp.org/security/201704-02
+CVE-2017-12868 [Session fixation issue and authentication bypass in the authcrypt module]
+	- simplesamlphp 1.14.15-1
+	NOTE: https://simplesamlphp.org/security/201705-01
+CVE-2017-12867 [Invalid token creation and validation]
+	- simplesamlphp 1.14.15-1
+	NOTE: https://simplesamlphp.org/security/201708-01
 CVE-2017-12855 [XSA-230: grant_table: possibly premature clearing of GTF_writing / GTF_reading]
 	- xen <unfixed>
 	NOTE: https://xenbits.xen.org/xsa/advisory-230.html




More information about the Secure-testing-commits mailing list