This patch introduces an error, currently produces the following while
trying to log in via saml login:
[WAR] 84
(auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:499)
openssl_sign(): supplied key param cannot be coerced into a private key
Call stack (most recent first):
log_message("openssl_sign(): supplied key param cannot be coerc...", 8,
true, true, "/home/lisaseeto/code/mahara/htdocs/auth/saml/extli...", 499) at
/home/lisaseeto/code/mahara/htdocs/lib/errors.php:521
error(2, "openssl_sign(): supplied key param cannot be coerc...",
"/home/lisaseeto/code/mahara/htdocs/auth/saml/extli...", 499, array(size 3)) at
Unknown:0
openssl_sign("SAMLRequest=fVJdb8IgFP0rDe%2BVWr9aoiZOs8zETbO6Pexl...", null,
false, "SHA256") at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:499
RobRichards\XMLSecLibs\XMLSecurityKey->signOpenSSL("SAMLRequest=fVJdb8IgFP0rDe%2BVWr9aoiZOs8zETbO6Pexl...")
at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:580
RobRichards\XMLSecLibs\XMLSecurityKey->signData("SAMLRequest=fVJdb8IgFP0rDe%2BVWr9aoiZOs8zETbO6Pexl...")
at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:61
SAML2\HTTPRedirect->getRedirectURL(object(SAML2\AuthnRequest)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:84
SAML2\HTTPRedirect->send(object(SAML2\AuthnRequest)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:704
SimpleSAML\Module\saml\Auth\Source\SP->sendSAML2AuthnRequest(array(size
18), object(SAML2\HTTPRedirect), object(SAML2\AuthnRequest)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:686
SimpleSAML\Module\saml\Auth\Source\SP->startSSO2(object(SimpleSAML\Configuration),
array(size 18)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:728
SimpleSAML\Module\saml\Auth\Source\SP->startSSO("http://idp1:8084/simplesaml/saml2/idp/metadata.php";,
array(size 15)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:826
SimpleSAML\Module\saml\Auth\Source\SP->authenticate(array(size 15)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Source.php:208
SimpleSAML\Auth\Source->initLogin("http://mahara/auth/saml/index.php";,
null, array(size 3)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:167
SimpleSAML\Auth\Simple->login(array(size 3)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:109
SimpleSAML\Auth\Simple->requireAuth(array(size 2)) at
/home/lisaseeto/code/mahara/htdocs/auth/saml/index.php:127
[WAR] 84 (lib/errors.php:536) [SimpleSAML\Error\UnserializableException]:
Failure Signing Data: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error - SHA256 at
/home/lisaseeto/code/mahara/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Source.php:212
Call stack (most recent first):
exception(object(SimpleSAML\Error\UnserializableException)) at
Unknown:0
Mahara: Site unavailable
A nonrecoverable error occurred. This probably means you have encountered a bug
in the system
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1889485
Title:
Security Upgrade SimpleSAML 1.18.4 to 1.18.7
Status in Mahara:
Confirmed
Status in Mahara 19.04 series:
Confirmed
Status in Mahara 19.10 series:
Confirmed
Status in Mahara 20.04 series:
Confirmed
Status in Mahara 20.10 series:
Confirmed
Bug description:
From https://simplesamlphp.org/security/202004-01:
Date
April 03, 2020
Affected versions
SimpleSAMLphp 1.18.5 and older
Severity
Low
Background
The module controller in SimpleSAML\Module that processes requests for pages
hosted by modules, has code to identify paths ending with .php and process
those as PHP code. If no other suitable way of handling the given path exists
it presents the file to the browser.
Description
The check to identify paths ending with .php does not account for uppercase
letters. If someone requests a path ending with e.g. .PHP and the server is
serving the code from a case-insensitive file system, such as on Windows, the
processing of the PHP code does not occur, and the source code is instead
presented to the browser.
Affected versions
SimpleSAMLphp versions 1.18.5 and older.
We will upgrade to version 1.18.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1889485/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
