Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0722 python-pysaml2 security update 26 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-pysaml2 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-21239 CVE-2017-1000433 Reference: ESB-2018.1908 ESB-2018.0093 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2577-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA February 26, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : python-pysaml2 Version : 3.0.0-5+deb9u2 CVE ID : CVE-2017-1000433 CVE-2021-21239 Debian Bug : 886423 CVE-2021-21239 Several issues have been found in python-pysaml2, a pure python implementation of SAML Version 2 Standard. CVE-2017-1000433 pysaml2 accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password. CVE-2021-21239 pysaml2 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. For Debian 9 stretch, these problems have been fixed in version 3.0.0-5+deb9u2. We recommend that you upgrade your python-pysaml2 packages. For the detailed security status of python-pysaml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-pysaml2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmA4ga8ACgkQhj1N8u2c KO/LTA//eEbx/AXF6YAQIhqpf7iJ/i3EiOWAPupCQWPdj3c8YPEi6iHmWS1ilka+ pNhll5fl/QmYrUUojKIr3915XWCcElzUVVfS5pfoZD7ZoC06E8fEPuC0RYDMPp3d +q4LlDFgEVgbG502lOCARj370VFZ/D1vK/jVYe9/ZH4CXlRFxVCLQl7oXFOK2l2s UGqGxQa0J1ROSHoazYuUL521opW/RWHKJvcjkT8OLRn/f0n8HUxQT3PEyP2VZ4Pz jtms+BjOfbbZbCGIzY9hW1TF97gWOXErwUwNoRt2jAqOKhDZmuXExSxNhLtGYs1y SyDvR8bmOZYQNJJRVn5KuvsVvoHm1NLXx1CczF+3STb+6dprTqAvtawGjjJ7DykJ ATcroKRXrUZ/YRsTNNSkqUDEIZ5NC0/jxXreZVfC0+SXpWUokuY7V2p3nPgL6IQj xrvmkohG+kdzG9t/6HAOHmwSrNf38FVfOxkvt+3AAdXcw1169u9ZqJGETjpzvctj AAKMJSWBVrhTYqK9ICli+0P47nqPB4h2Lvm0U1E/OxuSjxcXi+2VKURq6AIv5QRW D8hcxAFSxpT49L+F2iU2UKzF6eZSG2xl/lcZAnavd+Fw/DmrT34qv57oLm+VWckJ l5rrWXUSOO/vEE/xtriCb9solgP9nDG7c9+w6Uh9plFVzgPn+T8= =GU8r - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYDiJwuNLKJtyKPYoAQhZJw/+N0PXSjeUXa9QCn6Gq31HojwxZadrmEfC UWMaY4y9eT9NRD9aSbx4GQ2bzufPy6WtbyJs2eNlpFcF3n/HPmjoIAttd9AwIdht sNwFTQHzXqObePU7P1LGVrutPmsmG2Q4qajRMZ0BF8IOCQXPBTelXpyxkCYpJndY KcQY2nuY2oGICmFz0n3yIidANIrruqtaF6M58wH7rzNJQe/VGuB9CEaCPee6U3dW UlldMqs2bhxSIgCTcokowcbzPhChFcvX3gmz+v/k2F97Lv96SigaWiLcpcMBCtpx YP51u7adYKpm0kpjVswscdxhxwAGfUjiuw1kI6zY8zxHfKnk82dL4weKlsRIFg3G ZpZDtbR8+dQEk7IiFG5Pv2IvqOkkEmqSFfjWv7jLN0hv2y/ri506CuojdVfXnlLR 4lrKaFq1VnFTGuw4VWZqSmJ6kb3weQdzdJ74IpkQ17b3z4bIngvnn3VRC7V6zOMi ilQQnCavpEssobtbHZe82DZ2hKNr04j2a0QxMEv7L9aGk5fi1C1c+qXHxVOwClk0 u/HlG/sgveCZn9hGHK4MGeOoCalc4Cdm/svlerQ+Itbn+D7k9kWuOSSOyImKv+nO AtNqrp9X8s1kbDffEbleC+bwIlHbRlvcXHAsksABYMe/kd721i0aECPFC9QLjcPN 4cT9IIa+/PA= =cKTY -----END PGP SIGNATURE-----