[Git][security-tracker-team/security-tracker][master] Update information about second simplesamlphp issue: CVE-2024-52806

Tue Dec 3 11:58:24 GMT 2024


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
13291705 by Salvatore Bonaccorso at 2024-12-03T12:57:29+01:00
Update information about second simplesamlphp issue: CVE-2024-52806

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -216,7 +216,9 @@ CVE-2024-53259 (quic-go is an implementation of the QUIC protocol in Go. An off-
 	NOTE: https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50 (master)
 	NOTE: https://github.com/quic-go/quic-go/commit/34157e6455b07723d11385212a4e1328f57f1da5 (v0.48.2)
 CVE-2024-52806 (SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functio ...)
-	TODO: check
+	- simplesamlphp <unfixed>
+	NOTE: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
+	NOTE: https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 (v4.16.14)
 CVE-2024-52732 (Incorrect access control in wms-Warehouse management system-zeqp v2.20 ...)
 	NOT-FOR-US: wms-Warehouse management system-zeqp
 CVE-2024-52724 (ZZCMS 2023 was discovered to contain a SQL injection vulnerability in  ...)
@@ -506,7 +508,9 @@ CVE-2024-52596 (SimpleSAMLphp xml-common is a common classes for handling XML-st
 	{DSA-5822-1 DLA-3981-1}
 	- simplesamlphp <unfixed> (bug #1088904)
 	NOTE: https://github.com/simplesamlphp/simplesamlphp/releases/tag/v2.3.4
-	NOTE: Fixed by: https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 (v4.16.14)
+	NOTE: https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm
+	NOTE: Fixed by: https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5
+	NOTE: Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options.
 CVE-2024-53788 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-53787 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)


=====================================
data/DLA/list
=====================================
@@ -4,7 +4,7 @@
 [02 Dec 2024] DLA-3957-2 needrestart - regression update
 	[bullseye] - needrestart 3.5-4+deb11u5
 [02 Dec 2024] DLA-3981-1 simplesamlphp - security update
-	{CVE-2024-52596}
+	{CVE-2024-52596 CVE-2024-52806}
 	[bullseye] - simplesamlphp 1.19.0-1+deb11u1
 [02 Dec 2024] DLA-3980-1 python3.9 - security update
 	{CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2021-28861 CVE-2021-29921 CVE-2022-42919 CVE-2022-45061 CVE-2023-6597 CVE-2023-24329 CVE-2023-27043 CVE-2023-40217 CVE-2024-0397 CVE-2024-0450 CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2024-11168}


=====================================
data/DSA/list
=====================================
@@ -4,7 +4,7 @@
 	{CVE-2024-44308 CVE-2024-44309}
 	[bookworm] - webkit2gtk 2.46.4-1~deb12u1
 [02 Dec 2024] DSA-5822-1 simplesamlphp - security update
-	{CVE-2024-52596}
+	{CVE-2024-52596 CVE-2024-52806}
 	[bookworm] - simplesamlphp 1.19.7-1+deb12u1
 [27 Nov 2024] DSA-5821-1 thunderbird - security update
 	{CVE-2024-11692 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13291705050fb81832690a56cbbd84345996f691

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13291705050fb81832690a56cbbd84345996f691
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241203/b7184f29/attachment-0001.htm>
