Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1205-1 simplesamlphp

Debian Security Advisory

DLA-1205-1 simplesamlphp -- LTS security update

Date Reported:

12 Dec 2017

Affected Packages:

simplesamlphp

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-12867, CVE-2017-12868, CVE-2017-12869, CVE-2017-12872, CVE-2017-12873, CVE-2017-12874.

More information:

The simplesamlphp package in wheezy is vulnerable to multiple attacks on authentication-related code, leading to unauthorized access and information disclosure.

• CVE-2017-12867

  The SimpleSAML_Auth_TimeLimitedToken class allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

• CVE-2017-12869

  The multiauth module allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.

• CVE-2017-12872 / CVE-2017-12868

  The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote iattackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.

  CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the initial patch released by upstream. We have used the correct patch.

• CVE-2017-12873

  SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

• CVE-2017-12874

  The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.

For Debian 7 Wheezy, these problems have been fixed in version 1.9.2-1+deb7u1.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS