Your message dated Sat, 28 Sep 2024 16:47:12 +0000
with message-id <e1suaba-002djq...@fasolo.debian.org>
and subject line Bug#1081560: fixed in ruby-saml 1.13.0-1+deb12u1
has caused the Debian Bug report #1081560,
regarding ruby-saml: CVE-2024-45409
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-saml
Version: 1.15.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.13.0-1
Hi,
The following vulnerability was published for ruby-saml.
CVE-2024-45409[0]:
| The Ruby SAML library is for implementing the client side of a SAML
| authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not
| properly verify the signature of the SAML Response. An
| unauthenticated attacker with access to any signed saml document (by
| the IdP) can thus forge a SAML Response/Assertion with arbitrary
| contents. This would allow the attacker to log in as arbitrary user
| within the vulnerable system. This vulnerability is fixed in 1.17.0
| and 1.12.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45409
https://www.cve.org/CVERecord?id=CVE-2024-45409
[1]
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
[2]
https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae
[3]
https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-saml
Source-Version: 1.13.0-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-saml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-saml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Sep 2024 17:56:19 +0200
Source: ruby-saml
Architecture: source
Version: 1.13.0-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1081560
Changes:
ruby-saml (1.13.0-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* SAML authentication bypass via Incorrect XPath selector (CVE-2024-45409)
(Closes: #1081560)
Checksums-Sha1:
1f039acf18feb07bc25882e42c1d1e0046852e2b 2230 ruby-saml_1.13.0-1+deb12u1.dsc
c2ac6adc68060a610e1a4d0c33215f05637161a2 70190 ruby-saml_1.13.0.orig.tar.gz
f85c9eb9fa4329f85f1341f2c930e45759a1aab0 10468
ruby-saml_1.13.0-1+deb12u1.debian.tar.xz
9fc9698c4a6ba79d06e6c14674e4fe096609aa9e 7227
ruby-saml_1.13.0-1+deb12u1_source.buildinfo
Checksums-Sha256:
f99f665258e24d1bfb1478dfba8b7706b4b7664563cec22eaf08da7f31689002 2230
ruby-saml_1.13.0-1+deb12u1.dsc
f8a0782481a6fd36a902d2b2001054473226189dbc33dcded27fb483d47bd102 70190
ruby-saml_1.13.0.orig.tar.gz
68d980ea94dc39e612f4749f653a790fa1536d6c224b7c1bb4fb8c02f6529940 10468
ruby-saml_1.13.0-1+deb12u1.debian.tar.xz
2e1bcb2aa9497f9b34cb3083b7cc1fe75a9b9775aaafb0a32a6c4cc686d82102 7227
ruby-saml_1.13.0-1+deb12u1_source.buildinfo
Files:
d26ef3ff8e26de19d9e5d6560548d0ee 2230 ruby optional
ruby-saml_1.13.0-1+deb12u1.dsc
f81e8b13bb5fe0833b6b5ee09cb0d224 70190 ruby optional
ruby-saml_1.13.0.orig.tar.gz
c18068977cce871ee08634bc0cf0ed37 10468 ruby optional
ruby-saml_1.13.0-1+deb12u1.debian.tar.xz
eee50683702c01d485079679a419f7d4 7227 ruby optional
ruby-saml_1.13.0-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbnBAJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDkYP/3sLy6A2IfifMBsJdCJarkMjBZRi95Y/
R9R9nm1x+DvFdpULIxRyY5jQ85UpDRFYvsJLpRNcuBuk6Bk9Q5Ki4PuvjCuE5lug
3MpiAWUpmMaB3cCHlNTWMJ+r4sV3J3xVQXT7nV7UHtZl4R6XcU/RkbW/1sEvDQP7
T5riKsAUiElxQxWpXdku84RCuluLU9YgrRFJWPOV5Dw4dhkeJQDZMK3D+NBdClH3
JRn9wsU8MzxxhWv7oEkW41IyYIuOZXeMojFFrZpQBUIlN/KOcjwQA+SpgD2ET4pw
pYiGQxgc9WxicOI1wqbNAvdxNfQmPcNwYbaNlN2ShgvMEFydp5NET0KzQWuHQxWQ
ZHLTkE0kAu8wWIuPF1tFCUGM9LqigtqeHHH/f2KnS01v/IeEKlPSVaknqnYNiT1r
azzNvj5AubR82hp7VOZAvCWP9aRHXbHFnyajqtCIWNd/GS/ul4UfYmX04T6rafpB
i8twaGD2CzAtO2cQdkmqIj+lTIz1tsROEZtV0XM9alLH+qUTv96ewpyY9IGzXtkJ
y4rzcV37lJvA/aCS1+9DdRVu6E/HWOu1tGO1MpSrbzdoCqzKsx9y7TR0hX0tMf42
nbmJXREhQNHnJcMr5BxAfnN3KU+1tZkK4CpQ/kB1M+g4W79K7R2p9Ftnzsp2GvJE
m3Xb3X1GuPEI
=pTOD
-----END PGP SIGNATURE-----
pgp0Dviz220gE.pgp
Description: PGP signature
--- End Message ---
