Ubuntu
opensaml2 package

opensaml2 security advisory (CVE-2011-1411)

Bug #817199 reported by Joshua Daniel Franklin
294
This bug affects 6 people
Affects Status Importance Assigned to Milestone
opensaml2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Shibboleth Security Advisory [25 July 2011]

Updated versions of the Shibboleth Project's OpenSAML software in
Java and C++ are available which correct a security issue.

This general issue affects BOTH Identity and Service Provider
deployments, so a single advisory is being issued for both.

For the Identity Provider, this issue is rated as "important". An
unauthenticated remote attacker could leverage the flaw to obtain
unauthorized access to user data under certain circumstances.

For the Service Provider, this issue is rated as "critical", and
allows an unauthenticated remote attacker to access protected
resources.

Deployers should take immediate steps as outlined in this advisory
and apply the relevant update(s) at the soonest possible moment.

Original:
http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

Debian:
http://www.debian.org/security/2011/dsa-2284

For the oldstable distribution (lenny), this problem has been fixed in version 2.0-2+lenny3.

For the stable distribution (squeeze), this problem has been fixed in version 2.3-2+squeeze1.

CVE References

Revision history for this message
Joshua Daniel Franklin (joshuadfranklin) wrote :

So, basically please sync opensaml2 in lucid from debian squeeze http://packages.debian.org/source/squeeze/opensaml2

Revision history for this message
Joshua Daniel Franklin (joshuadfranklin) wrote :

I created a PPA for this update (including just the update from debian):
https://launchpad.net/~joshuadfranklin/+archive/ppa

debdiff is at
https://launchpad.net/~joshuadfranklin/+archive/ppa/+files/opensaml2_2.3-1build2_2.3-1build2ppa1.diff.gz

you can test thusly:

cat <<EOF > /etc/apt/sources.list.d/joshuadfranklin-ppa.list
deb http://ppa.launchpad.net/joshuadfranklin/ppa/ubuntu lucid main
deb-src http://ppa.launchpad.net/joshuadfranklin/ppa/ubuntu lucid main
EOF
gpg --recv-keys 75BA62B3B973066B
gpg --export --armor 75BA62B3B973066B | apt-key add -
apt-get update
apt-get upgrade
/etc/init.d/shibd restart
/etc/init.d/apache2 restart

Jamie Strandboge (jdstrand)
visibility: private → public
Changed in opensaml2 (Ubuntu):
status: New → Triaged
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff! I'm uploading it to lucid-security now, with a slightly changed changelog.
Update will be released in a few hours.

Changed in opensaml2 (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensaml2 - 2.3-1ubuntu0.1

---------------
opensaml2 (2.3-1ubuntu0.1) lucid-security; urgency=high

  * SECURITY UPDATE: Fix vulnerability to a "wrapping attack" that could
    allow a remote, unauthenticated attacker to craft messages that can be
    successfully verified but contain arbitrary content. This may allow
    an attacker to subvert the security of software using OpenSAML and
    supply an unauthenticated login identity and data under the guise of a
    trusted issuer. (LP: #817199)
    - Patch obtained from Debian (2.3-2+squeeze1)
    - CVE-2011-1411
 -- Joshua Daniel Franklin <email address hidden> Thu, 28 Jul 2011 14:50:45 -0700

Changed in opensaml2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.