upload simplesamlphp

Abhijith PA Mon, 05 Feb 2018 04:45:07 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.


I prepared LTS security update for simplesamlphp. Basic functions also
tested in a wheezy machine. Please review and upload. Debdiff is
attached.

link:
https://mentors.debian.net/debian/pool/main/s/simplesamlphp/simplesamlphp_1.9.2-1+deb7u2.dsc

Thanks.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp4UZ0ACgkQhj1N8u2c
KO9ezA/+ObDIlCKLBAMF4pk3m0ZNmHZS7NQKyhSe0nmfCVjLuRNmlaRXd9lo1DUC
zdTalyxVrmv/EQMsQvvizbf6icdb59HLlX3r4GLHlchw4fd/0OCTCLoZ7NN0yH8n
7yZzZcRoqowi6KxwDX2TFPpKUJLAmL+SWptTG6z4ioiN6hIduPuUlS0Nd8ROnMEb
B4xowgipt57LUHPAynBOy+pVGQ60FKPyYhnsf9JslHhajsU99iALgfALnbvSGQPM
ZFlYSpo3VJMklJKQ0seex7PN7rtpl/YfBoH2scNKBeoXi2H0WXmjdOz7yg/Kw4kS
AOAaVDfrGqy4E333IL6E9sXEV+p9Hl3AC4aO4+tJtXPJPiXX+/VNlx5tR0tB0+X2
80JIBM6VItMwduS+2+J1UuQn+Ehe1WnnLS4sRBc2TnX2FaucccUQYAmVkzkqlayy
NKmfcMYTitRNgHSUWkeA+zU6KLjm0uv0kVVp/b1gG7ahBT84OBGjTTu4416MVPrr
6cUuhVXBx07mOXG5+l4Fcyu6IgHb6M0c+r4fM5pByZhZV2Kbb5UfJd05xFjB8pyB
gNl0jUXPtLjRgWg0J/S+d9Ve1US8gO/1thQOkTb3JblMKQMy+AdaJEMPg7TQxr4E
YcFcJtanYNFrMyFDesY4zAQ8IIM2iqnpJIlH5eZwWJeMumMrCSI=
=Muz0
-----END PGP SIGNATURE-----

diff -Nru simplesamlphp-1.9.2/debian/changelog 
simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.2/debian/changelog        2017-11-30 19:37:03.000000000 
+0530
+++ simplesamlphp-1.9.2/debian/changelog        2018-02-05 11:14:11.000000000 
+0530
@@ -1,3 +1,12 @@
+simplesamlphp (1.9.2-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2017-18122: Signature validation bypass
+  * Fix CVE-2017-18121: Cross Site Scripting (XSS) in the consentAdmin module
+  * Fix CVE-2018-6521: Use of insecure connection charset (sqlauth module)
+
+ -- Abhijith PA <[email protected]>  Mon, 05 Feb 2018 11:14:11 +0530
+
 simplesamlphp (1.9.2-1+deb7u1) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Debian LTS Team.
diff -Nru 
simplesamlphp-1.9.2/debian/patches/CVE-2017-18121_18122_CVE-2018-6521.patch 
simplesamlphp-1.9.2/debian/patches/CVE-2017-18121_18122_CVE-2018-6521.patch
--- simplesamlphp-1.9.2/debian/patches/CVE-2017-18121_18122_CVE-2018-6521.patch 
1970-01-01 05:30:00.000000000 +0530
+++ simplesamlphp-1.9.2/debian/patches/CVE-2017-18121_18122_CVE-2018-6521.patch 
2018-02-05 11:14:11.000000000 +0530
@@ -0,0 +1,48 @@
+Description: Fix CVE-2017-18122, CVE-2017-18121, CVE-2018-6521
+ CVE-2017-18122: Signature validation bypass
+ https://simplesamlphp.org/security/201710-01
+ CVE-2017-18121: Cross Site Scripting (XSS) in the consentAdmin module
+ https://simplesamlphp.org/security/201709-01
+ CVE-2018-6521: Use of insecure connection charset (sqlauth module)
+ https://simplesamlphp.org/security/201801-03
+Author: Abhijith PA <[email protected]>
+
+---
+Origin: 
https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca
+        
https://github.com/simplesamlphp/simplesamlphp/commit/34e1bdb7660c0c9b627f8e5f0ca224a6afe641a8
+        
https://github.com/simplesamlphp/simplesamlphp/commit/1e4d42e2275e91b515d46256bd895731e3ea154f
+Bug-Debian: https://bugs.debian.org/889286
+Last-Update: 2018-02-05
+
+--- simplesamlphp-1.9.2.orig/lib/SimpleSAML/XML/Validator.php
++++ simplesamlphp-1.9.2/lib/SimpleSAML/XML/Validator.php
+@@ -261,7 +261,7 @@ class SimpleSAML_XML_Validator {
+               assert('$node instanceof DOMNode');
+ 
+               while($node !== NULL) {
+-                      if(in_array($node, $this->validNodes)) {
++                      if(in_array($node, $this->validNodes, true)) {
+                               return TRUE;
+                       }
+ 
+--- simplesamlphp-1.9.2.orig/modules/consentAdmin/templates/consentadmin.php
++++ simplesamlphp-1.9.2/modules/consentAdmin/templates/consentadmin.php
+@@ -132,6 +132,6 @@ TRSTART;
+               
+               <h2>Logout</h2>
+ 
+-                      <p><a href="<?php echo SimpleSAML_Utilities::selfURL() 
. '?logout'; ?>">Logout</a></p>
++                      <p><a href="<?php echo 
SimpleSAML_Module::getModuleURL('consentAdmin/consentAdmin.php', array('logout' 
=> 1)); ?>">Logout</a></p>
+               
+ <?php $this->includeAtTemplateBase('includes/footer.php'); ?>
+--- simplesamlphp-1.9.2.orig/modules/sqlauth/lib/Auth/Source/SQL.php
++++ simplesamlphp-1.9.2/modules/sqlauth/lib/Auth/Source/SQL.php
+@@ -96,7 +96,7 @@ class sspmod_sqlauth_Auth_Source_SQL ext
+               switch ($driver) {
+               case 'mysql':
+                       /* Use UTF-8. */
+-                      $db->exec("SET NAMES 'utf8'");
++                      $db->exec("SET NAMES 'utf8mb4'");
+                       break;
+               case 'pgsql':
+                       /* Use UTF-8. */
diff -Nru simplesamlphp-1.9.2/debian/patches/series 
simplesamlphp-1.9.2/debian/patches/series
--- simplesamlphp-1.9.2/debian/patches/series   2017-11-30 19:37:03.000000000 
+0530
+++ simplesamlphp-1.9.2/debian/patches/series   2018-02-05 11:14:11.000000000 
+0530
@@ -4,3 +4,4 @@
 CVE-2017-12872.patch
 CVE-2017-12869.patch
 CVE-2017-12867.patch
+CVE-2017-18121_18122_CVE-2018-6521.patch

upload simplesamlphp

Reply via email to