Bug#1100464: opensaml: Parameter manipulation allows the forging of signed SAML messages
Niko Tyni
ntyni at debian.org
Fri Mar 14 08:34:41 GMT 2025
Package: opensaml
Version: 3.3.0-2
Severity: grave
Tags: security
X-Debbugs-Cc: team at security.debian.org
As per https://shibboleth.net/community/advisories/secadv_20250313.txt
Parameter manipulation allows the forging of signed SAML messages
=================================================================
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
[...]
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and
it is enabled by default (regardless of what one's published
SAML metadata may advertise).
There's also a workaround in the advisory for the most critical
part (disable the POST-SimpleSign binding in protocols.xml .)
RedHat has already a fix available. Not sure if this was coordinated
distro-wide but filing a bug just in case (and copying the security team.)
I assume stable releases are affected but haven't verified that.
I'm not aware of a CVE id for this.
--
Niko Tyni ntyni at debian.org
More information about the Pkg-shibboleth-devel
mailing list