Bug#1100464: opensaml: Parameter manipulation allows the forging of signed SAML messages
Niko Tyni
ntyni at debian.org
Fri Mar 14 08:58:31 GMT 2025
On Fri, Mar 14, 2025 at 08:34:44AM +0000, Niko Tyni wrote:
> Package: opensaml
> Version: 3.3.0-2
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team at security.debian.org
>
> As per https://shibboleth.net/community/advisories/secadv_20250313.txt
>
> Parameter manipulation allows the forging of signed SAML messages
> =================================================================
> RedHat has already a fix available. Not sure if this was coordinated
> distro-wide but filing a bug just in case (and copying the security team.)
Apologies, this was second hand information and probably incorrect.
I think this referred to the 3.3.1 RPM package provided by shibboleth.net.
FWIW I think the relevant upstream commit is
https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee
but I haven't tested this in any way.
--
Niko Tyni ntyni at debian.org
More information about the Pkg-shibboleth-devel
mailing list