Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0722
python-pysaml2 security update
26 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-pysaml2
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21239 CVE-2017-1000433
Reference: ESB-2018.1908
ESB-2018.0093
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2577-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
February 26, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : python-pysaml2
Version : 3.0.0-5+deb9u2
CVE ID : CVE-2017-1000433 CVE-2021-21239
Debian Bug : 886423 CVE-2021-21239
Several issues have been found in python-pysaml2, a pure python
implementation of SAML Version 2 Standard.
CVE-2017-1000433
pysaml2 accept any password when run with python optimizations
enabled. This allows attackers to log in as any user without
knowing their password.
CVE-2021-21239
pysaml2 has an improper verification of cryptographic signature
vulnerability. Users of pysaml2 that use the default
CryptoBackendXmlSec1 backend and need to verify signed SAML
documents are impacted. PySAML2 does not ensure that a signed
SAML document is correctly signed. The default
CryptoBackendXmlSec1 backend is using the xmlsec1 binary to
verify the signature of signed SAML documents, but by default
xmlsec1 accepts any type of key found within the given document.
xmlsec1 needs to be configured explicitly to only use only _x509
certificates_ for the verification process of the SAML document signature.
For Debian 9 stretch, these problems have been fixed in version
3.0.0-5+deb9u2.
We recommend that you upgrade your python-pysaml2 packages.
For the detailed security status of python-pysaml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-pysaml2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmA4ga8ACgkQhj1N8u2c
KO/LTA//eEbx/AXF6YAQIhqpf7iJ/i3EiOWAPupCQWPdj3c8YPEi6iHmWS1ilka+
pNhll5fl/QmYrUUojKIr3915XWCcElzUVVfS5pfoZD7ZoC06E8fEPuC0RYDMPp3d
+q4LlDFgEVgbG502lOCARj370VFZ/D1vK/jVYe9/ZH4CXlRFxVCLQl7oXFOK2l2s
UGqGxQa0J1ROSHoazYuUL521opW/RWHKJvcjkT8OLRn/f0n8HUxQT3PEyP2VZ4Pz
jtms+BjOfbbZbCGIzY9hW1TF97gWOXErwUwNoRt2jAqOKhDZmuXExSxNhLtGYs1y
SyDvR8bmOZYQNJJRVn5KuvsVvoHm1NLXx1CczF+3STb+6dprTqAvtawGjjJ7DykJ
ATcroKRXrUZ/YRsTNNSkqUDEIZ5NC0/jxXreZVfC0+SXpWUokuY7V2p3nPgL6IQj
xrvmkohG+kdzG9t/6HAOHmwSrNf38FVfOxkvt+3AAdXcw1169u9ZqJGETjpzvctj
AAKMJSWBVrhTYqK9ICli+0P47nqPB4h2Lvm0U1E/OxuSjxcXi+2VKURq6AIv5QRW
D8hcxAFSxpT49L+F2iU2UKzF6eZSG2xl/lcZAnavd+Fw/DmrT34qv57oLm+VWckJ
l5rrWXUSOO/vEE/xtriCb9solgP9nDG7c9+w6Uh9plFVzgPn+T8=
=GU8r
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYDiJwuNLKJtyKPYoAQhZJw/+N0PXSjeUXa9QCn6Gq31HojwxZadrmEfC
UWMaY4y9eT9NRD9aSbx4GQ2bzufPy6WtbyJs2eNlpFcF3n/HPmjoIAttd9AwIdht
sNwFTQHzXqObePU7P1LGVrutPmsmG2Q4qajRMZ0BF8IOCQXPBTelXpyxkCYpJndY
KcQY2nuY2oGICmFz0n3yIidANIrruqtaF6M58wH7rzNJQe/VGuB9CEaCPee6U3dW
UlldMqs2bhxSIgCTcokowcbzPhChFcvX3gmz+v/k2F97Lv96SigaWiLcpcMBCtpx
YP51u7adYKpm0kpjVswscdxhxwAGfUjiuw1kI6zY8zxHfKnk82dL4weKlsRIFg3G
ZpZDtbR8+dQEk7IiFG5Pv2IvqOkkEmqSFfjWv7jLN0hv2y/ri506CuojdVfXnlLR
4lrKaFq1VnFTGuw4VWZqSmJ6kb3weQdzdJ74IpkQ17b3z4bIngvnn3VRC7V6zOMi
ilQQnCavpEssobtbHZe82DZ2hKNr04j2a0QxMEv7L9aGk5fi1C1c+qXHxVOwClk0
u/HlG/sgveCZn9hGHK4MGeOoCalc4Cdm/svlerQ+Itbn+D7k9kWuOSSOyImKv+nO
AtNqrp9X8s1kbDffEbleC+bwIlHbRlvcXHAsksABYMe/kd721i0aECPFC9QLjcPN
4cT9IIa+/PA=
=cKTY
-----END PGP SIGNATURE-----