Debian Security Advisory
DLA-1205-1 simplesamlphp -- LTS security update
- Date Reported:
- 12 Dec 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-12867, CVE-2017-12868, CVE-2017-12869, CVE-2017-12872, CVE-2017-12873, CVE-2017-12874.
- More information:
The simplesamlphp package in wheezy is vulnerable to multiple attacks on authentication-related code, leading to unauthorized access and information disclosure.
The SimpleSAML_Auth_TimeLimitedToken class allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
The multiauth module allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
- CVE-2017-12872 /
The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote iattackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.
CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the initial patch released by upstream. We have used the correct patch.
SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
For Debian 7
Wheezy, these problems have been fixed in version 1.9.2-1+deb7u1.
We recommend that you upgrade your simplesamlphp packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS