Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4158 simplesamlphp security update 7 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: simplesamlphp Publisher: Debian Operating System: Debian GNU/Linux 10 Debian GNU/Linux 10 UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-3465 Original Bulletin: http://www.debian.org/security/2019/dsa-4560 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running simplesamlphp check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4560-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst November 06, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : simplesamlphp CVE ID : CVE-2019-3465 Debian Bug : 944107 It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, it was possible to circumvent XML signature verification on SAML messages. For the oldstable distribution (stretch), this problem has been fixed in version 1.14.11-1+deb9u2. For the stable distribution (buster), this problem has been fixed in version 1.16.3-1+deb10u1. We recommend that you upgrade your simplesamlphp packages. For the detailed security status of simplesamlphp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/simplesamlphp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAl3CzIcACgkQVvYaeUAd rARHbwf/TlhDePOiIIGBGEEt1K89UPnDATXVqMjGRCn+ipH5wR6Y9inKVS9eYHfx TkmRfApMgc/2CPATPpZM6dojlccpW5hWPDG9ni1nIYoRjI7LfNKuTTl9Z1Gwhwm3 nXGNNZa8ukpeqcBhjrOOgWc+BXX7T6kzRTaNJChwsMUBdlBLiP9TNwc2n4xfOghA 7Kz/doablBBROED0jC33VvFCjghVecDOK94wmmUjYRpb/kaqFx9XYxjUyvAWsfQD AKAgdpJHK5oZs+fwokZAEFMnPhaSHcVsbJSNAA8xIgv6lg/8BrDEipw8dRAY/X9S EDQC1qRgiEtfS38PxuXSV5puqZ6JWQ== =WW8m - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcNcJmaOgq3Tt24GAQgT+RAAmHW10zGCBI9hEkyfFUO7gl3JBsgqGf0E mwSpSymptslLTxwXpMLzsE6sK+hDj2xFyj0qd8PxCBp9Cw/gkgCxlQsdEuCs63Ax ORXwQUvKpx6etT5w0/fb1uqai6LLnNpz+XjEmfuK/XtV4gWM0CaN+yLG6q+qoSXx u0M0DpjolFxy/o2Mae/u0Lsex/4OU2EK31d+mg0TeTdgqPmfmwqSKAlvZ1USGj8a maYbPq+gUobmjr7bHBt+K7vMpFEq0kwMdgSkfatBDBg3yEyr61j8vgmXhVU2oaTz FdYBR7UMvBJVSdC58MmXjj5GDxZ9FBHrkd0sITGeTV2ls/zPaKYhIB3yWYfYaiT9 3nARqJb+JCMMBdd2/1tIuZFsMm6cFkBwg59y3/YPm5J4iQqyO/ryQL74/jho8XN6 NJz00N+cvN6WEVFf5kMevBzLJ/wPgj0EnlKhH2JNOfF9WlBq35kxZx/fOzRIGCC7 6g0i/5ZAMl10HjB1i/4DWl3rSBhm6VuA2V0JepUpkonjaOrGfebw9e26C9PnWLUq DvQ/Tt52dHWVOVrfVCjHjbApm0NT9Zz4SXd7QF9F1TrAQOj8autTb6ax7pr2TmBn 6U72BY5hIzgc3H+wPIiVj1RwTWhMNUkuDdrHKayEppVb/WpThyXyi64dMzgYyzBc jhg2+kLIv1o= =y6xF -----END PGP SIGNATURE-----