Patch for focal copied from Debian buster's 3.0.4 security fix. ** Description changed:
- Upstream has given advance warning that a security patch would be - released on 2021-03-17 (USA time). See - https://shibboleth.net/pipermail/users/2021-March/049488.html - - Details to be published at + Upstream advisory: https://shibboleth.net/community/advisories/secadv_20210317.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [17 March 2021] An updated version of the Service Provider software is available which fixes a phishing vulnerability. Template generation allows external parameters to override placeholders ====================================================================== The SP includes a primitive template engine used to render error pages and various other status or transition pages, and it supports a syntax for embedding placeholders that are replaced by internally supplied values or configuration settings. For reasons that are unclear in the code history, it was extended to allow replacement via query parameters also, though this is not a typical need. Because of this feature, it's possible to cause the SP to display some templates containing values supplied externally by - URL manipulation. Though the values are encoded to prevent script - injection, the content nevertheless appears to come from the server - and so would be interpreted as trustworthy, allowing email addresses, - logos, or support URLs to be manipulated by an attacker. + URL manipulation. + + Though the values are encoded to prevent script injection, the content + nevertheless appears to come from the server and so would be interpreted + as trustworthy, allowing email addresses, logos and style sheets, or + support URLs to be manipulated by an attacker. All platforms are impacted by this issue. Recommendations =============== Update to V3.2.1 or later of the Service Provider software, which is now available. The update adds a new <Errors> setting to the configuration called externalParameters, which defaults to false. When false, support for this "feature" is disabled. In the unlikely event that a valid need for this exists, the setting can be enabled temporarily to maintain function until the use case requiring it is addressed in some other way. + In the event that an update is not possible, reducing or eliminating + some of the more sensitive template replacement values with static + values in the templates may decrease the impact. + Other Notes =========== The cpp-sp git commit containing the fix for this issue is d1dbebfadc1bdb824fea63843c4c38fa69e54379 + Credits + ======= + Toni Huttunen, Fraktal Oy + + + History + ======= + Edited to add credit, and a bit more discussion of style sheet risk + and workarounds. + URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20210317.txt -----BEGIN PGP SIGNATURE----- - iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmBR7sAACgkQN4uEVAIn - eWLVdw//VSixULMxvdqzJNP7UASXDvtw7GEfAXvUb8SGJ5cFcElu8QSlzqvUB3v5 - XUrLJ4RUbHuOXiaNbfZWvPhAldIH3NoQFidwLQFiiF6afLmmSvof/2Xqnhs2DT/y - n2lj2vRUs/vVDfrpvevnd1NByrnFTVi/BhYxZaF8A6Xc9WZG/i0donrh29NW6h1i - SBoyHtW/AQZxLjSRlj2e70i8e7k0BTllHkxEsMhIzO5PkUWRhvNeLSA4M402M6dm - 8DPyt16vRFTvwYmBcRvYSt3qS/4BSDskzqEl7dkRumUHveIg6p8y12oRzQiZypLo - v6EEE/DJ3C6EwxQxoXfYcXWQwPcX1Br0A1JD+twBg10QYMW0foLppvHaj0CX8Xpa - n3/kMsEHyKoFef/U2F3UDOFPUfGEi+GgLssUJljIO5DgkujWg04/+Ue78Qd5pBeF - 004Aa3EW/HIBAdoCO7KROtSiyyQHLkoh928soSq0GFpbCoEngsDzeJe273bJLAw2 - dfV6wq4jqbbf2PE9xFv5GqxI5bbTId70wVo1LG13oI51YtHcy0AnRhm/Kmp3MeUv - ellYvmvUZAGwQOoapD6Qza47JtYwoNdHGQPbCSEgnU9v87xlys0Gy/ThRit9te+c - M66pBMi3o4i5dIEbyvZOCSOekeFBwRP02yuwh8yV0MbUsOEUffw= - =Kl5A + iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmBSD+MACgkQN4uEVAIn + eWJQtBAAp3xxDvDxiQ3bNw+vwJmEOVjJMlwLjBQPmYvV09Pu593xuQj4RWLbZRgK + lZlxHzvXb6dg+bHNl799uCFhcWe8NExB5GnTQPR8/JG1OwgJ0WogezpMYAAvKjkA + LXaDsz7u4DDQ4OBYemkMx3W+0CHhYPw+TLz9rHN+rAKOEGzPLWDT/cKJ75ps19/v + hnQKZ7i7mQobh61zAe5rpi+ziWmDqhzFv4uBOwbuY02UYZQm6+D3BRqAf62Cjnyh + Z/nuZ6Z/5BxitDZBPPSreSl7sMHYzI83RDZGHWgEDjHKZdpYSXpUM3vntuC1pdaO + r4izd97H7nptnuznslu1S0NfkeZlWF3XaaMa8ZrCvMvC62MVK+WvOgFZxE5wmeDZ + 3f9Eei//LTE4+B1rQPU99wNbgXdelfXWKkN6hHIXcSlfqG4miAONA86U39JuNovy + S66o9uQG3y55Qp9YcGAca4/9azmr8xQlcKTPFfp2tJrvCwmK3yu0TPbeirPpE9SN + eJhl3/cCenOyN9pMZOZ9MqeIPdlkJ1Qwcd1xs/Jyzqo/LTsvnzVTzaCx0lc6qy/Z + ld3Amkcpo/K2NajWjFVvwx72Yj4Y3DCUvlDrQcNM8Oc2Sv195EDJpXIW8ynqB9aZ + RJUrsmhKRcQKMbfGlHAToMREruW1i3jH1twqS/IOxe7Z4jg5u3A= + =tv1A -----END PGP SIGNATURE----- + + Upstream bug: https://issues.shibboleth.net/jira/browse/SSPCPP-922 + Upstream patch: https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=d1dbebfadc1bdb824fea63843c4c38fa69e54379 ** Summary changed: - Template generation allows external parameters to override placeholders + Phishing vulnerability: Template generation allows external parameters to override placeholders ** Patch added: "Patch for focal" https://bugs.launchpad.net/debian/+source/shibboleth-sp/+bug/1919419/+attachment/5477904/+files/1-3.0.4+dfsg1-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external parameters to override placeholders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1919419/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
