Re: Wheezy update of simplesamlphp?
Hi, On Sun, 04 Feb 2018, Ola Lundqvist wrote: > No worry. It was my mistake. I did not expect that someone else would > do triaging when I was at front desk. You did nothing wrong. I'll try > to be a little more observant next time. :-) Just to be clear. Abhijith did not have to do this since he was not assigned to frontdesk. That's the best way to avoid duplicate work. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Wheezy update of simplesamlphp?
Hi No worry. It was my mistake. I did not expect that someone else would do triaging when I was at front desk. You did nothing wrong. I'll try to be a little more observant next time. :-) // Ola On 4 February 2018 at 11:35, Abhijith PAwrote: > Removed > > On Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote: >> Hi >> >> Sorry for the duplicate. I did not realize that someone else had sent >> this message already. >> >> // Ola >> > > Sorry for the confusion. What is the best solution to avoid this in > future? > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Wheezy update of simplesamlphp?
RemovedOn Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote: > Hi > > Sorry for the duplicate. I did not realize that someone else had sent > this message already. > > // Ola > Sorry for the confusion. What is the best solution to avoid this in future?
Re: Wheezy update of simplesamlphp?
Hi Sorry for the duplicate. I did not realize that someone else had sent this message already. // Ola On 3 February 2018 at 21:14, Ola Lundqvistwrote: > Dear maintainer, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of simplesamlphp: > https://security-tracker.debian.org/tracker/CVE-2017-18121 > https://security-tracker.debian.org/tracker/CVE-2017-18122 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of simplesamlphp updates > for the LTS releases. > > Thank you very much. > > Ola Lundqvist, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Wheezy update of simplesamlphp ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of simplesamlphp: https://security-tracker.debian.org/tracker/CVE-2017-18121 https://security-tracker.debian.org/tracker/CVE-2017-18122 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of simplesamlphp updates for the LTS releases. Thank you very much. Abhijith PA, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp1lMoACgkQhj1N8u2c KO9jVQ/+KDtiH8voP6RUqSGGK/scDanBBuLMFQgKzvkshGcVKEY07ASC60zRkvmu dvTa8upc7zY5GKSolE+YLuaunoqyyfBqFTdPGpe/9HCJlVWstkrgpvXRyBbvbL7R 6C7bNNV6BryBdYejEia8xGws697X4EOfHXmXcPMptqY+T+vQylfHUjKa+WqYuXp+ KgT0xDOZPsEhWsWQ5xxVY/xt0GqT2EX5SMVBUD8Bz60n+mI6UL8/yq5Cc/H5u1D3 SDw8q1iu7HaVBlITnKec2aW1XTcasaHGsKn93a+cqL1BUXPCUU7UfQ5NCRrp1rqM 8IpB4/9fkDOG77gbbqdFAtWSX/Np50ERIFs3Yq5wzMa4DjOIKEmUgiqD6svZyYAf WYMXRM/fRXHmtlKERxFY/z5YjshQRGHVoWaiw2q7mJ1BQO8nn0+N2OrIP4f1m2+f MeWzeNZam2BI+Jsc/w8jcHIDaBFukkPn5QOpz8hPQ961yrmDi+WRhcT1W807x/19 y0yLvLiSMj5Ces3eayuqAavZapWv7n8Pr6ms4yaYw0WLiXmgLRR8pZzmW/FFjZNu YJ8ifdfq9HaedxXzwOf70RodytT/HXulXcyLvIgZqLUQqHp91/wpP0mY2Vdg8h5a /wP5nsgbN0+C2Q4AEPFaHG9GOaDmF0zMXHHoLgXx6XGlHx19FWY= =ebkY -END PGP SIGNATURE-
Re: Wheezy update of simplesamlphp?
Hello Thijs, On Mon, 04 Sep 2017, Thijs Kinkhorst wrote: > On Wed, August 30, 2017 16:26, Raphael Hertzog wrote: > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of simplesamlphp: > > https://security-tracker.debian.org/tracker/source-package/simplesamlphp > > > > Would you like to take care of this yourself? > > None of this is particularly worrysome, but together an update might be > worthwhile. I'll see what I can do. I prepared an update fixing all CVE except CVE-2017-12870 that I marked as ignored on wheezy because aesEncrypt/aesDecrypt in this version uses a different implementation based on mcrypt and not openssl and it doesn't look like worth reimplementing the fix entirely. It would be nice if you (and/or other LTS users) could test the package (I did absolutely no tests so far, except building the package): $ dget https://people.debian.org/~hertzog/packages/simplesamlphp_1.9.2-1+deb7u1_amd64.changes The debdiff is attached if you want to review it, too. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ diff -Nru simplesamlphp-1.9.2/debian/changelog simplesamlphp-1.9.2/debian/changelog --- simplesamlphp-1.9.2/debian/changelog2012-08-29 17:45:36.0 +0200 +++ simplesamlphp-1.9.2/debian/changelog2017-11-30 15:07:03.0 +0100 @@ -1,3 +1,15 @@ +simplesamlphp (1.9.2-1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2017-12867: Invalid token creation and validation + * Fix CVE-2017-12869: Authentication context bypass in the multiauth module + * Fix CVE-2017-12872: Multiple timing side-channel issues +(use the patch fixed for CVE-2017-12868 too) + * Fix CVE-2017-12873: Incorrect persistent NameID generation + * Fix CVE-2017-12874: incorrect signature verification + + -- Raphaël HertzogThu, 30 Nov 2017 15:07:03 +0100 + simplesamlphp (1.9.2-1) unstable; urgency=medium * New upstream security release: diff -Nru simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch --- simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch 1970-01-01 01:00:00.0 +0100 +++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch 2017-11-30 15:07:03.0 +0100 @@ -0,0 +1,17 @@ +Description: Fix CVE-2017-12867: Invalid token creation and validation + See https://simplesamlphp.org/security/201708-01 +Origin: backport, https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68 +Last-Update: 2017-11-30 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/lib/SimpleSAML/Auth/TimeLimitedToken.php b/lib/SimpleSAML/Auth/TimeLimitedToken.php +@@ -55,7 +55,7 @@ class SimpleSAML_Auth_TimeLimitedToken { + + #echo 'Calculating sha1( ' . $this->calculate_time_slot($offset) . ':' . $this->secretSalt . ' )'; + +- return sha1( $this->calculate_time_slot($offset) . ':' . $this->secretSalt); ++ return sha1($offset . ':' . $this->calculate_time_slot($offset) . ':' . $this->secretSalt); + } + + /** diff -Nru simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch --- simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch 1970-01-01 01:00:00.0 +0100 +++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch 2017-11-30 15:07:03.0 +0100 @@ -0,0 +1,31 @@ +From f1e485284dd428ab3cd9500c62e19c7c7234be9a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= +Date: Fri, 5 May 2017 11:36:42 +0200 +Subject: [PATCH] bugfix: Allow only valid auth sources in MultiAuth. + +The configuration of the MultiAuth authentication source specifies the auth sources that the user is presented with when asked for authentication. However, there was no proper check for the auth source selected by the user to ensure it is one of those allowed for MultiAuth. + +See https://simplesamlphp.org/security/201704-02 + +Origin: upstream, https://github.com/simplesamlphp/simplesamlphp/commit/f1e485284dd428ab3cd9500c62e19c7c7234be9a +--- + modules/multiauth/lib/Auth/Source/MultiAuth.php | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php b/modules/multiauth/lib/Auth/Source/MultiAuth.php +@@ -144,7 +144,13 @@ class sspmod_multiauth_Auth_Source_Multi + assert('is_array($state)'); + + $as = SimpleSAML_Auth_Source::getById($authId); +- if ($as === NULL) { ++ $valid_sources = array_map( ++ function($src) { ++ return $src['source']; ++
Re: Wheezy update of simplesamlphp?
Hi Raphael, On Wed, August 30, 2017 16:26, Raphael Hertzog wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of simplesamlphp: > https://security-tracker.debian.org/tracker/source-package/simplesamlphp > > Would you like to take care of this yourself? None of this is particularly worrysome, but together an update might be worthwhile. I'll see what I can do. Cheers, Thijs
Wheezy update of simplesamlphp?
Hello Thijs, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of simplesamlphp: https://security-tracker.debian.org/tracker/source-package/simplesamlphp Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of simplesamlphp updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/