Changelog
simplesamlphp (1.8.1-1) unstable; urgency=high
* New upstream release. Fixes security issues:
- It may be possible to use an SP as a oracle to decrypt
encrypted messages sent to that SP. This is the attack
described in the paper "How to break XML encryption":
http://dx.doi.org/10.1145/2046707.2046756
- It may be possible to use the SP as a key oracle which
can be used to forge messages from that SP by issuing
300000-2000000 queries to the SP. This mainly affects
SPs that use signed authentication requests. The attack
is described in "Chosen Ciphertext Attacks Against
Protocols Based on the RSA Encryption Standard PKCS #1.":
http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037
-- Thijs Kinkhorst <email address hidden> Thu, 27 Oct 2011 14:19:20 +0200