Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4158
simplesamlphp security update
7 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: simplesamlphp
Publisher: Debian
Operating System: Debian GNU/Linux 10
Debian GNU/Linux 10
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-3465
Original Bulletin:
http://www.debian.org/security/2019/dsa-4560
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running simplesamlphp check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4560-1 security@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
November 06, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : simplesamlphp
CVE ID : CVE-2019-3465
Debian Bug : 944107
It was discovered that in SimpleSAMLphp, an implementation of the
SAML 2.0 protocol, it was possible to circumvent XML signature
verification on SAML messages.
For the oldstable distribution (stretch), this problem has been fixed
in version 1.14.11-1+deb9u2.
For the stable distribution (buster), this problem has been fixed in
version 1.16.3-1+deb10u1.
We recommend that you upgrade your simplesamlphp packages.
For the detailed security status of simplesamlphp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/simplesamlphp
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAl3CzIcACgkQVvYaeUAd
rARHbwf/TlhDePOiIIGBGEEt1K89UPnDATXVqMjGRCn+ipH5wR6Y9inKVS9eYHfx
TkmRfApMgc/2CPATPpZM6dojlccpW5hWPDG9ni1nIYoRjI7LfNKuTTl9Z1Gwhwm3
nXGNNZa8ukpeqcBhjrOOgWc+BXX7T6kzRTaNJChwsMUBdlBLiP9TNwc2n4xfOghA
7Kz/doablBBROED0jC33VvFCjghVecDOK94wmmUjYRpb/kaqFx9XYxjUyvAWsfQD
AKAgdpJHK5oZs+fwokZAEFMnPhaSHcVsbJSNAA8xIgv6lg/8BrDEipw8dRAY/X9S
EDQC1qRgiEtfS38PxuXSV5puqZ6JWQ==
=WW8m
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXcNcJmaOgq3Tt24GAQgT+RAAmHW10zGCBI9hEkyfFUO7gl3JBsgqGf0E
mwSpSymptslLTxwXpMLzsE6sK+hDj2xFyj0qd8PxCBp9Cw/gkgCxlQsdEuCs63Ax
ORXwQUvKpx6etT5w0/fb1uqai6LLnNpz+XjEmfuK/XtV4gWM0CaN+yLG6q+qoSXx
u0M0DpjolFxy/o2Mae/u0Lsex/4OU2EK31d+mg0TeTdgqPmfmwqSKAlvZ1USGj8a
maYbPq+gUobmjr7bHBt+K7vMpFEq0kwMdgSkfatBDBg3yEyr61j8vgmXhVU2oaTz
FdYBR7UMvBJVSdC58MmXjj5GDxZ9FBHrkd0sITGeTV2ls/zPaKYhIB3yWYfYaiT9
3nARqJb+JCMMBdd2/1tIuZFsMm6cFkBwg59y3/YPm5J4iQqyO/ryQL74/jho8XN6
NJz00N+cvN6WEVFf5kMevBzLJ/wPgj0EnlKhH2JNOfF9WlBq35kxZx/fOzRIGCC7
6g0i/5ZAMl10HjB1i/4DWl3rSBhm6VuA2V0JepUpkonjaOrGfebw9e26C9PnWLUq
DvQ/Tt52dHWVOVrfVCjHjbApm0NT9Zz4SXd7QF9F1TrAQOj8autTb6ax7pr2TmBn
6U72BY5hIzgc3H+wPIiVj1RwTWhMNUkuDdrHKayEppVb/WpThyXyi64dMzgYyzBc
jhg2+kLIv1o=
=y6xF
-----END PGP SIGNATURE-----