-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - --- english/security/2018/dsa-4127.wml 2018-03-02 13:36:06.000000000 +0500 +++ russian/security/2018/dsa-4127.wml 2018-03-02 13:54:01.953180682 +0500 @@ -1,73 +1,74 @@ - -<define-tag description>security update</define-tag> +#use wml::debian::translation-check translation="1.1" maintainer="Lev Lamberov" +<define-tag description>обновление безопаÑноÑÑи</define-tag> <define-tag moreinfo> - -<p>Several vulnerabilities have been discovered in SimpleSAMLphp, a - -framework for authentication, primarily via the SAML protocol.</p> +<p>Ð SimpleSAMLphp, инÑÑаÑÑÑÑкÑÑÑе Ð´Ð»Ñ Ð°ÑÑенÑиÑикаÑии в оÑновном по +пÑоÑÐ¾ÐºÐ¾Ð»Ñ SAML, бÑло обнаÑÑжено неÑколÑко ÑÑзвимоÑÑей.</p> <ul> <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-12867">CVE-2017-12867</a> - - <p>Attackers with access to a secret token could extend its validity - - period by manipulating the prepended time offset.</p></li> + <p>ÐлоÑмÑÑленники, имеÑÑие доÑÑÑп к ÑекÑеÑÐ½Ð¾Ð¼Ñ ÑокенÑ, могÑÑ Ð¿ÑодлиÑÑ ÐµÐ³Ð¾ ÑÑок + дейÑÑвиÑ, изменÑÑ ÑмеÑение вÑемени.</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-12869">CVE-2017-12869</a> - - <p>When using the multiauth module, attackers can bypass authentication - - context restrictions and use any authentication source defined in - - the config.</p></li> + <p>ÐÑи иÑполÑзовании модÑÐ»Ñ multiauth злоÑмÑÑленник Ð¼Ð¾Ð¶ÐµÑ Ð¾Ð±Ñ Ð¾Ð´Ð¸ÑÑ Ð¾Ð³ÑаниÑÐµÐ½Ð¸Ñ + конÑекÑÑа аÑÑенÑиÑикаÑии и иÑполÑзоваÑÑ Ð»Ñбой иÑÑоÑник аÑÑенÑиÑикаÑии, опÑеделÑннÑе + в наÑÑÑÐ¾Ð¹ÐºÐ°Ñ .</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-12873">CVE-2017-12873</a> - - <p>Defensive measures have been taken to prevent the administrator - - from misconfiguring persistent NameIDs to avoid identifier clash. - - (Affects Debian 8 Jesse only.)</p></li> + <p>ÐÑли пÑедпÑинÑÑÑ Ð·Ð°ÑиÑнÑе меÑÑ Ñ ÑелÑÑ Ð¿ÑедоÑвÑаÑÐµÐ½Ð¸Ñ Ð½ÐµÐºÐ¾ÑÑекÑнÑй наÑÑÑоек + поÑÑоÑннÑÑ NameID админиÑÑÑаÑоÑом, ÑÑÐ¾Ð±Ñ Ð½Ðµ пÑоиÑÑ Ð¾Ð´Ð¸Ð»Ð¸ конÑликÑÑ Ð¸Ð´ÐµÐ½ÑиÑикаÑоÑов. + (ÐÑа ÑÑзвимоÑÑÑ ÐºÐ°ÑаеÑÑÑ ÑолÑко Debian 8 Jessie.)</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-12874">CVE-2017-12874</a> - - <p>The InfoCard module could accept incorrectly signed XML messages - - in rare occasions.</p></li> + <p>ÐодÑÐ»Ñ InfoCard в ÑÐµÐ´ÐºÐ¸Ñ ÑлÑÑаÑÑ Ð¼Ð¾Ð¶ÐµÑ Ð¿ÑинимаÑÑ Ð½ÐµÐ¿ÑавилÑно подпиÑаннÑе + XML-ÑообÑениÑ.</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-18121">CVE-2017-18121</a> - - <p>The consentAdmin module was vulnerable to a Cross-Site Scripting - - attack, allowing an attacker to craft links that could execute - - arbitrary JavaScript code in the victim's browser.</p></li> + <p>ÐодÑÐ»Ñ consentAdmin ÑÑзвим к межÑайÑовом ÑкÑипÑингÑ, ÑÑо позволÑÐµÑ + злоÑмÑÑÐ»ÐµÐ½Ð½Ð¸ÐºÑ Ð¿Ð¾Ð´Ð´ÐµÐ»ÑваÑÑ ÑÑÑлки, обÑаÑение к коÑоÑÑм пÑÐ¸Ð²Ð¾Ð´Ð¸Ñ Ðº вÑÐ¿Ð¾Ð»Ð½ÐµÐ½Ð¸Ñ + пÑоизволÑного кода на ÑзÑке JavaScript в бÑаÑзеÑе жеÑÑвÑ.</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-18122">CVE-2017-18122</a> - - <p>The (deprecated) SAML 1.1 implementation would regard as valid any - - unsigned SAML response containing more than one signed assertion, - - provided that the signature of at least one of the assertions was - - valid, allowing an attacker that could obtain a valid signed - - assertion from an IdP to impersonate users from that IdP.</p></li> + <p>РеализаÑÐ¸Ñ SAML 1.1 (ÑÑÑаÑевÑаÑ) ÑаÑÑмаÑÑÐ¸Ð²Ð°ÐµÑ Ð² каÑеÑÑве пÑавилÑного лÑбой + неподпиÑаннÑй SAML-оÑвеÑ, ÑодеÑжаÑий более одного подпиÑанного ÑÑвеÑÐ¶Ð´ÐµÐ½Ð¸Ñ + пÑи ÑÑловии, ÑÑо подпиÑÑ Ñ Ð¾ÑÑ Ð±Ñ Ð¾Ð´Ð½Ð¾Ð³Ð¾ из ÑÑвеÑждений ÑвлÑеÑÑÑ Ð²ÐµÑной. + ÐÑо позволÑÐµÑ Ð·Ð»Ð¾ÑмÑÑленникÑ, обладаÑÑÐµÐ¼Ñ ÑÑвеÑждением Ñ Ð¿ÑавилÑной подпиÑÑÑ + Ð¾Ñ IdP вÑдаваÑÑ ÑÐµÐ±Ñ Ð·Ð° полÑзоваÑелей ÑÑого IdP.</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6519">CVE-2018-6519</a> - - <p>Regular expression denial of service when parsing extraordinarily - - long timestamps.</p></li> + <p>ÐÑказ в обÑлÑживании в ÑегÑлÑÑном вÑÑажении пÑи вÑполнении гÑаммаÑиÑеÑкого + ÑазбоÑа длиннÑÑ Ð²ÑеменнÑÑ Ð¼ÐµÑок.</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6521">CVE-2018-6521</a> - - <p>Change sqlauth module MySQL charset from utf8 to utf8mb to - - prevent theoretical query truncation that could allow remote - - attackers to bypass intended access restrictions</p></li> + <p>Ðзменена кодиÑовка Ñимволов в модÑле sqlauth Ð´Ð»Ñ MySQL Ñ utf8 на utf8mb + Ñ ÑелÑÑ Ð¿ÑедоÑвÑаÑÐµÐ½Ð¸Ñ ÑеоÑеÑиÑеÑкого обÑÐµÐ·Ð°Ð½Ð¸Ñ Ð·Ð°Ð¿ÑоÑа, ÑÑо Ð¼Ð¾Ð¶ÐµÑ Ð¿Ð¾Ð·Ð²Ð¾Ð»Ð¸ÑÑ + ÑдалÑннÑм злоÑмÑÑленникам Ð¾Ð±Ñ Ð¾Ð´Ð¸ÑÑ Ð¾Ð³ÑаниÑÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа</p></li> - -<li>SSPSA-201802-01 (no CVE yet) +<li>SSPSA-201802-01 (иденÑиÑикаÑÐ¾Ñ CVE пока оÑÑÑÑÑÑвÑеÑ) - - <p>Critical signature validation vulnerability.</p></li> + <p>ÐÑиÑиÑеÑÐºÐ°Ñ ÑÑзвимоÑÑÑ Ð² коде пÑовеÑки подпиÑи.</p></li> </ul> - -<p>For the oldstable distribution (jessie), these problems have been fixed - -in version 1.13.1-2+deb8u1.</p> +<p>РпÑедÑдÑÑем ÑÑабилÑном вÑпÑÑке (jessie) ÑÑи пÑÐ¾Ð±Ð»ÐµÐ¼Ñ Ð±Ñли иÑпÑÐ°Ð²Ð»ÐµÐ½Ñ +в веÑÑии 1.13.1-2+deb8u1.</p> - -<p>For the stable distribution (stretch), these problems have been fixed in - -version 1.14.11-1+deb9u1.</p> +<p>Ð ÑÑабилÑном вÑпÑÑке (stretch) ÑÑи пÑÐ¾Ð±Ð»ÐµÐ¼Ñ Ð±Ñли иÑпÑÐ°Ð²Ð»ÐµÐ½Ñ Ð² +веÑÑии 1.14.11-1+deb9u1.</p> - -<p>We recommend that you upgrade your simplesamlphp packages.</p> +<p>РекомендÑеÑÑÑ Ð¾Ð±Ð½Ð¾Ð²Ð¸ÑÑ Ð¿Ð°ÐºÐµÑÑ simplesamlphp.</p> - -<p>For the detailed security status of simplesamlphp please refer to - -its security tracker page at: +<p>С подÑобнÑм ÑÑаÑÑÑом поддеÑжки безопаÑноÑÑи simplesamlphp можно ознакомиÑÑÑÑ Ð½Ð° +ÑооÑвеÑÑÑвÑÑÑей ÑÑаниÑе оÑÑÐ»ÐµÐ¶Ð¸Ð²Ð°Ð½Ð¸Ñ Ð±ÐµÐ·Ð¾Ð¿Ð°ÑноÑÑи по адÑеÑÑ <a href="https://security-tracker.debian.org/tracker/simplesamlphp">\ https://security-tracker.debian.org/tracker/simplesamlphp</a></p> </define-tag> -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3mumcdV9mwCc9oZQXudu4gIW0qUFAlqZETAACgkQXudu4gIW 0qXfUg/9Ek2LJn4K0xDDO+SxHJaKVkf/yFHVgfAYjz+6OBXalrzdysGkamLQr3vB DtySz40MsgMKVLhec95WgmFwc3Hk/mkjjOh1SK2p0wyb/wY+/ciQkYoRo1aIOD6l /T9w8X4YwSGmyr0WC/Hpc8gZVnreGLYQVPT2FEWIKkyZbBSedvkLGXaHj/cvsZST Lulr3JUimM1U9lUWWN1Drjh26Vc4yUKm/YSIzgzfJYlB49WSrY4jd944DvJ3xAfK RkdvyZq+yASwlAVwnqovVPrMr7nPlxsVvEG/DpNEBAowpKLqAxcjsa95vPz/zghi cf3oel2hpdJXPkbk+hTIMzn9Ye29MkwA/o5shfe6pHRgMEcVCNLZ9u8OBdbgGaFP CT6NW8wy0d901Bbq2E9eqKcOYaon8qlheLsxNpWdi3RhA767n5GyE9zLaxjzRm3T Rg1uyzbZRe4/zJLGn8vKrY+O6Ccil2/9pfy9KnTw19mgYLysEtquL77ojbrf8rww pu8B7Uea6eHEAsGvBML+D94fzuHFLApyi+/0U5QaBAfFxQPtfGHPSrSr5G/n8Fux twoWgbltSJ2FI0nnhrorNVoFmZigssA1s27jTIyn2hzniAiKK2Qk/dDp9UGOldgE Cm05/2miXJQsLIcScPcTNNk5Xj004QlQeVObsMoNH9rI8Ku7Ap4= =Miy8 -----END PGP SIGNATURE-----