Your message dated Fri, 31 Aug 2012 14:06:08 +0200
with message-id <[email protected]>
and subject line Re: Bug#686344: unblock: simplesamlphp/1.9.2.-1
has caused the Debian Bug report #686344,
regarding unblock: simplesamlphp/1.9.2.-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
686344: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686344
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi,
Please unblock package simplesamlphp. It's a security-update only release
that further tightens the screws on the security issue addressed in 1.9.1,
after further discussion with the scientists who discovered the issue.
The debdiff is very simple.
Please
unblock simplesamlphp/1.9.2.-1
Thanks,
Thijs
diff -Nru simplesamlphp-1.9.1/debian/changelog simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.1/debian/changelog 2012-08-06 14:58:01.000000000 +0200
+++ simplesamlphp-1.9.2/debian/changelog 2012-08-29 17:45:36.000000000 +0200
@@ -1,3 +1,11 @@
+simplesamlphp (1.9.2-1) unstable; urgency=medium
+
+ * New upstream security release:
+ Fix possible issue in PKCS 1.5 encryption when a key is
+ correctly decrypted but its length is not the one expected.
+
+ -- Thijs Kinkhorst <[email protected]> Wed, 29 Aug 2012 15:43:31 +0000
+
simplesamlphp (1.9.1-1) unstable; urgency=medium
* New upstream security release:
diff -Nru simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt 2012-08-02 08:25:33.000000000 +0200
+++ simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt 2012-08-29 10:19:20.000000000 +0200
@@ -6,6 +6,12 @@
This document lists the changes between versions of simpleSAMLphp.
See the upgrade notes for specific information about upgrading.
+## Version 1.9.2
+
+Released 2012-08-29
+
+ * Fix related to the security issue addressed in version 1.9.1.
+
## Version 1.9.1
Released 2012-08-02.
diff -Nru simplesamlphp-1.9.1/lib/SAML2/Utils.php simplesamlphp-1.9.2/lib/SAML2/Utils.php
--- simplesamlphp-1.9.1/lib/SAML2/Utils.php 2012-08-02 08:25:23.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SAML2/Utils.php 2012-08-29 10:19:12.000000000 +0200
@@ -393,6 +393,10 @@
try {
$key = $encKey->decryptKey($symmetricKeyInfo);
+ if (strlen($key) != $keySize) {
+ throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' .
+ var_export($symmetricKey->type, TRUE));
+ }
} catch (Exception $e) {
/* We failed to decrypt this key. Log it, and substitute a "random" key. */
SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
diff -Nru simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php 2012-08-02 08:28:37.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php 2012-08-29 11:16:57.000000000 +0200
@@ -5,7 +5,7 @@
*
* @author Andreas Aakre Solberg, UNINETT AS. <[email protected]>
* @package simpleSAMLphp
- * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
+ * @version $Id: Configuration.php 3152 2012-08-29 09:16:57Z [email protected] $
*/
class SimpleSAML_Configuration {
@@ -295,7 +295,7 @@
* @return string
*/
public function getVersion() {
- return '1.9.1';
+ return '1.9.2';
}
--- End Message ---
--- Begin Message ---
On 2012-08-31 13:26, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi,
>
> Please unblock package simplesamlphp. It's a security-update only release
> that further tightens the screws on the security issue addressed in 1.9.1,
> after further discussion with the scientists who discovered the issue.
>
> The debdiff is very simple.
>
> Please
> unblock simplesamlphp/1.9.2.-1
>
>
> Thanks,
> Thijs
Unblocked, thanks.
~Niels
--- End Message ---
