Re: Wheezy update of simplesamlphp?

2018-02-06 Thread Raphael Hertzog 
Hi,

On Sun, 04 Feb 2018, Ola Lundqvist wrote:
> No worry. It was my mistake. I did not expect that someone else would
> do triaging when I was at front desk. You did nothing wrong. I'll try
> to be a little more observant next time. :-)

Just to be clear. Abhijith did not have to do this since he was not
assigned to frontdesk. That's the best way to avoid duplicate work.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Wheezy update of simplesamlphp?

2018-02-04 Thread Ola Lundqvist 
Hi

No worry. It was my mistake. I did not expect that someone else would
do triaging when I was at front desk. You did nothing wrong. I'll try
to be a little more observant next time. :-)

// Ola

On 4 February 2018 at 11:35, Abhijith PA  wrote:
> Removed 
>
> On Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote:
>> Hi
>>
>> Sorry for the duplicate. I did not realize that someone else had sent
>> this message already.
>>
>> // Ola
>>
>
> Sorry for the confusion. What is the best solution to avoid this in
> future?
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Wheezy update of simplesamlphp?

2018-02-04 Thread Abhijith PA 
Removed 

On Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote:
> Hi
> 
> Sorry for the duplicate. I did not realize that someone else had sent
> this message already.
> 
> // Ola
> 

Sorry for the confusion. What is the best solution to avoid this in
future?

Re: Wheezy update of simplesamlphp?

2018-02-03 Thread Ola Lundqvist 
Hi

Sorry for the duplicate. I did not realize that someone else had sent
this message already.

// Ola

On 3 February 2018 at 21:14, Ola Lundqvist  wrote:
> Dear maintainer,
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of simplesamlphp:
> https://security-tracker.debian.org/tracker/CVE-2017-18121
> https://security-tracker.debian.org/tracker/CVE-2017-18122
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of simplesamlphp updates
> for the LTS releases.
>
> Thank you very much.
>
> Ola Lundqvist,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Wheezy update of simplesamlphp ?

2018-02-03 Thread Abhijith PA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear maintainer(s),

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of simplesamlphp:
https://security-tracker.debian.org/tracker/CVE-2017-18121
https://security-tracker.debian.org/tracker/CVE-2017-18122

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of simplesamlphp updates
for the LTS releases.

Thank you very much.

Abhijith PA,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp1lMoACgkQhj1N8u2c
KO9jVQ/+KDtiH8voP6RUqSGGK/scDanBBuLMFQgKzvkshGcVKEY07ASC60zRkvmu
dvTa8upc7zY5GKSolE+YLuaunoqyyfBqFTdPGpe/9HCJlVWstkrgpvXRyBbvbL7R
6C7bNNV6BryBdYejEia8xGws697X4EOfHXmXcPMptqY+T+vQylfHUjKa+WqYuXp+
KgT0xDOZPsEhWsWQ5xxVY/xt0GqT2EX5SMVBUD8Bz60n+mI6UL8/yq5Cc/H5u1D3
SDw8q1iu7HaVBlITnKec2aW1XTcasaHGsKn93a+cqL1BUXPCUU7UfQ5NCRrp1rqM
8IpB4/9fkDOG77gbbqdFAtWSX/Np50ERIFs3Yq5wzMa4DjOIKEmUgiqD6svZyYAf
WYMXRM/fRXHmtlKERxFY/z5YjshQRGHVoWaiw2q7mJ1BQO8nn0+N2OrIP4f1m2+f
MeWzeNZam2BI+Jsc/w8jcHIDaBFukkPn5QOpz8hPQ961yrmDi+WRhcT1W807x/19
y0yLvLiSMj5Ces3eayuqAavZapWv7n8Pr6ms4yaYw0WLiXmgLRR8pZzmW/FFjZNu
YJ8ifdfq9HaedxXzwOf70RodytT/HXulXcyLvIgZqLUQqHp91/wpP0mY2Vdg8h5a
/wP5nsgbN0+C2Q4AEPFaHG9GOaDmF0zMXHHoLgXx6XGlHx19FWY=
=ebkY
-END PGP SIGNATURE-

Re: Wheezy update of simplesamlphp?

2017-11-30 Thread Raphael Hertzog 
Hello Thijs,

On Mon, 04 Sep 2017, Thijs Kinkhorst wrote:
> On Wed, August 30, 2017 16:26, Raphael Hertzog wrote:
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of simplesamlphp:
> > https://security-tracker.debian.org/tracker/source-package/simplesamlphp
> >
> > Would you like to take care of this yourself?
> 
> None of this is particularly worrysome, but together an update might be
> worthwhile. I'll see what I can do.

I prepared an update fixing all CVE except CVE-2017-12870 that I marked as
ignored on wheezy because aesEncrypt/aesDecrypt in this version uses a different
implementation based on mcrypt and not openssl and it doesn't look like
worth reimplementing the fix entirely.

It would be nice if you (and/or other LTS users) could test the package (I
did absolutely no tests so far, except building the package):
$ dget 
https://people.debian.org/~hertzog/packages/simplesamlphp_1.9.2-1+deb7u1_amd64.changes

The debdiff is attached if you want to review it, too.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
diff -Nru simplesamlphp-1.9.2/debian/changelog 
simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.2/debian/changelog2012-08-29 17:45:36.0 
+0200
+++ simplesamlphp-1.9.2/debian/changelog2017-11-30 15:07:03.0 
+0100
@@ -1,3 +1,15 @@
+simplesamlphp (1.9.2-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2017-12867: Invalid token creation and validation
+  * Fix CVE-2017-12869: Authentication context bypass in the multiauth module
+  * Fix CVE-2017-12872: Multiple timing side-channel issues
+(use the patch fixed for CVE-2017-12868 too)
+  * Fix CVE-2017-12873: Incorrect persistent NameID generation
+  * Fix CVE-2017-12874: incorrect signature verification
+
+ -- Raphaël Hertzog   Thu, 30 Nov 2017 15:07:03 +0100
+
 simplesamlphp (1.9.2-1) unstable; urgency=medium
 
   * New upstream security release:
diff -Nru simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch 
simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch
--- simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch 1970-01-01 
01:00:00.0 +0100
+++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12867.patch 2017-11-30 
15:07:03.0 +0100
@@ -0,0 +1,17 @@
+Description: Fix CVE-2017-12867: Invalid token creation and validation
+ See https://simplesamlphp.org/security/201708-01
+Origin: backport, 
https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68
+Last-Update: 2017-11-30
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/SimpleSAML/Auth/TimeLimitedToken.php
 b/lib/SimpleSAML/Auth/TimeLimitedToken.php
+@@ -55,7 +55,7 @@ class SimpleSAML_Auth_TimeLimitedToken {
+   
+   #echo 'Calculating sha1( ' . 
$this->calculate_time_slot($offset) . ':' . $this->secretSalt . '  )';
+   
+-  return sha1( $this->calculate_time_slot($offset) . ':' . 
$this->secretSalt);
++  return sha1($offset . ':' . $this->calculate_time_slot($offset) 
. ':' . $this->secretSalt);
+   }
+   
+   /**
diff -Nru simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch 
simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch
--- simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch 1970-01-01 
01:00:00.0 +0100
+++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12869.patch 2017-11-30 
15:07:03.0 +0100
@@ -0,0 +1,31 @@
+From f1e485284dd428ab3cd9500c62e19c7c7234be9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= 
+Date: Fri, 5 May 2017 11:36:42 +0200
+Subject: [PATCH] bugfix: Allow only valid auth sources in MultiAuth.
+
+The configuration of the MultiAuth authentication source specifies the auth 
sources that the user is presented with when asked for authentication. However, 
there was no proper check for the auth source selected by the user to ensure it 
is one of those allowed for MultiAuth.
+
+See https://simplesamlphp.org/security/201704-02
+
+Origin: upstream, 
https://github.com/simplesamlphp/simplesamlphp/commit/f1e485284dd428ab3cd9500c62e19c7c7234be9a
+---
+ modules/multiauth/lib/Auth/Source/MultiAuth.php | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php
 b/modules/multiauth/lib/Auth/Source/MultiAuth.php
+@@ -144,7 +144,13 @@ class sspmod_multiauth_Auth_Source_Multi
+   assert('is_array($state)');
+ 
+   $as = SimpleSAML_Auth_Source::getById($authId);
+-  if ($as === NULL) {
++  $valid_sources = array_map(
++  function($src) {
++  return $src['source'];
++

Re: Wheezy update of simplesamlphp?

2017-09-04 Thread Thijs Kinkhorst 
Hi Raphael,

On Wed, August 30, 2017 16:26, Raphael Hertzog wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of simplesamlphp:
> https://security-tracker.debian.org/tracker/source-package/simplesamlphp
>
> Would you like to take care of this yourself?

None of this is particularly worrysome, but together an update might be
worthwhile. I'll see what I can do.


Cheers,
Thijs

Wheezy update of simplesamlphp?

2017-08-30 Thread Raphael Hertzog 
Hello Thijs,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of simplesamlphp:
https://security-tracker.debian.org/tracker/source-package/simplesamlphp

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of simplesamlphp updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/