Your message dated Sat, 28 Sep 2024 16:47:12 +0000 with message-id <e1suaba-002djq...@fasolo.debian.org> and subject line Bug#1081560: fixed in ruby-saml 1.13.0-1+deb12u1 has caused the Debian Bug report #1081560, regarding ruby-saml: CVE-2024-45409 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1081560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081560 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-saml Version: 1.15.0-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.13.0-1 Hi, The following vulnerability was published for ruby-saml. CVE-2024-45409[0]: | The Ruby SAML library is for implementing the client side of a SAML | authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not | properly verify the signature of the SAML Response. An | unauthenticated attacker with access to any signed saml document (by | the IdP) can thus forge a SAML Response/Assertion with arbitrary | contents. This would allow the attacker to log in as arbitrary user | within the vulnerable system. This vulnerability is fixed in 1.17.0 | and 1.12.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45409 https://www.cve.org/CVERecord?id=CVE-2024-45409 [1] https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 [2] https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae [3] https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-saml Source-Version: 1.13.0-1+deb12u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-saml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1081...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-saml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 15 Sep 2024 17:56:19 +0200 Source: ruby-saml Architecture: source Version: 1.13.0-1+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1081560 Changes: ruby-saml (1.13.0-1+deb12u1) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * SAML authentication bypass via Incorrect XPath selector (CVE-2024-45409) (Closes: #1081560) Checksums-Sha1: 1f039acf18feb07bc25882e42c1d1e0046852e2b 2230 ruby-saml_1.13.0-1+deb12u1.dsc c2ac6adc68060a610e1a4d0c33215f05637161a2 70190 ruby-saml_1.13.0.orig.tar.gz f85c9eb9fa4329f85f1341f2c930e45759a1aab0 10468 ruby-saml_1.13.0-1+deb12u1.debian.tar.xz 9fc9698c4a6ba79d06e6c14674e4fe096609aa9e 7227 ruby-saml_1.13.0-1+deb12u1_source.buildinfo Checksums-Sha256: f99f665258e24d1bfb1478dfba8b7706b4b7664563cec22eaf08da7f31689002 2230 ruby-saml_1.13.0-1+deb12u1.dsc f8a0782481a6fd36a902d2b2001054473226189dbc33dcded27fb483d47bd102 70190 ruby-saml_1.13.0.orig.tar.gz 68d980ea94dc39e612f4749f653a790fa1536d6c224b7c1bb4fb8c02f6529940 10468 ruby-saml_1.13.0-1+deb12u1.debian.tar.xz 2e1bcb2aa9497f9b34cb3083b7cc1fe75a9b9775aaafb0a32a6c4cc686d82102 7227 ruby-saml_1.13.0-1+deb12u1_source.buildinfo Files: d26ef3ff8e26de19d9e5d6560548d0ee 2230 ruby optional ruby-saml_1.13.0-1+deb12u1.dsc f81e8b13bb5fe0833b6b5ee09cb0d224 70190 ruby optional ruby-saml_1.13.0.orig.tar.gz c18068977cce871ee08634bc0cf0ed37 10468 ruby optional ruby-saml_1.13.0-1+deb12u1.debian.tar.xz eee50683702c01d485079679a419f7d4 7227 ruby optional ruby-saml_1.13.0-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbnBAJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDkYP/3sLy6A2IfifMBsJdCJarkMjBZRi95Y/ R9R9nm1x+DvFdpULIxRyY5jQ85UpDRFYvsJLpRNcuBuk6Bk9Q5Ki4PuvjCuE5lug 3MpiAWUpmMaB3cCHlNTWMJ+r4sV3J3xVQXT7nV7UHtZl4R6XcU/RkbW/1sEvDQP7 T5riKsAUiElxQxWpXdku84RCuluLU9YgrRFJWPOV5Dw4dhkeJQDZMK3D+NBdClH3 JRn9wsU8MzxxhWv7oEkW41IyYIuOZXeMojFFrZpQBUIlN/KOcjwQA+SpgD2ET4pw pYiGQxgc9WxicOI1wqbNAvdxNfQmPcNwYbaNlN2ShgvMEFydp5NET0KzQWuHQxWQ ZHLTkE0kAu8wWIuPF1tFCUGM9LqigtqeHHH/f2KnS01v/IeEKlPSVaknqnYNiT1r azzNvj5AubR82hp7VOZAvCWP9aRHXbHFnyajqtCIWNd/GS/ul4UfYmX04T6rafpB i8twaGD2CzAtO2cQdkmqIj+lTIz1tsROEZtV0XM9alLH+qUTv96ewpyY9IGzXtkJ y4rzcV37lJvA/aCS1+9DdRVu6E/HWOu1tGO1MpSrbzdoCqzKsx9y7TR0hX0tMf42 nbmJXREhQNHnJcMr5BxAfnN3KU+1tZkK4CpQ/kB1M+g4W79K7R2p9Ftnzsp2GvJE m3Xb3X1GuPEI =pTOD -----END PGP SIGNATURE-----pgp0Dviz220gE.pgp
Description: PGP signature
--- End Message ---