[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
This bug was fixed in the package shibboleth-sp - 3.0.4+dfsg1-1ubuntu0.1 --- shibboleth-sp (3.0.4+dfsg1-1ubuntu0.1) focal-security; urgency=high * SECURITY UPDATE: Fix a phishing vulnerability: Template generation allows external parameters to override placeholders (LP: #1919419) - debian/patches/SSPCPP-922-Add-externalParameters-option-to-Errors- element.patch: Add externalParameters option to Errors element - https://shibboleth.net/community/advisories/secadv_20210317.txt - https://issues.shibboleth.net/jira/browse/SSPCPP-922 - CVE-2021-28963 -- Etienne Dysli Metref Thu, 18 Mar 2021 12:22:53 +0100 ** Changed in: shibboleth-sp (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
** Changed in: shibboleth-sp (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
I have pushed the focal update to the security-proposed ppa at https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages ; any testing that anyone could give once it is done building would be appreciated. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
Hey Etienne, Thanks for submitting the debdiff. I'm taking a look in more detail, but on first glance it looks good to me. If all goes well, I'll push it up to our security-proposed in a bit. ** Changed in: shibboleth-sp (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
Is there something missing from the proposed patch? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
Assigned CVE: 2021-28963 https://security-tracker.debian.org/tracker/CVE-2021-28963 For some reason, the "link to CVE" on the right rejects "2021-28963"... ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-28963 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
** Changed in: shibboleth-sp (Debian) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders
** Changed in: shibboleth-sp (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs