On 1/19/20 9:05 PM, Salvatore Bonaccorso wrote:
> Source: python-pysaml2
> Version: 4.5.0-5
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 4.5.0-4
>
> Hi,
>
> The following vulnerability was published for python-pysaml2.
>
> CVE-2020-5390[0]:
> | PySAML2 before 5.0.0 does not check that the signature in a SAML
> | document is enveloped and thus signature wrapping is effective, i.e.,
> | it is affected by XML Signature Wrapping (XSW). The signature
> | information and the node/object that is signed can be in different
> | places and thus the signature verification will succeed, but the wrong
> | data will be used. This specifically affects the verification of
> | assertion that have been signed.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-5390
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5390
> [1]
> https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
Hi Salvatore,
Please find attached the debdiff for fixing this CVE. I've already
uploaded the fix to Sid. Please let me know if it's ok to upload to
buster-security. BTW, are source-only uploads fine for security-master?
Cheers,
Thomas Goirand (zigo)
diff -Nru python-pysaml2-4.5.0/debian/changelog
python-pysaml2-4.5.0/debian/changelog
--- python-pysaml2-4.5.0/debian/changelog 2018-09-07 11:54:53.000000000
+0200
+++ python-pysaml2-4.5.0/debian/changelog 2020-02-07 09:27:20.000000000
+0100
@@ -1,3 +1,14 @@
+python-pysaml2 (4.5.0-4+deb10u1) buster-security; urgency=medium
+
+ * CVE-2020-5390: does not check that the signature in a SAML document is
+ enveloped and thus signature wrapping is effective, i.e., it is affected by
+ XML Signature Wrapping (XSW). Applied upstream patch: Fix XML Signature
+ Wrapping (XSW) vulnerabilities (Closes: #949322).
+ * Remove a test file that will fail past 2020-11-28 (Closes: #949227).
+ * Add fix-importing-mock-in-py2.7.patch.
+
+ -- Thomas Goirand <z...@debian.org> Fri, 07 Feb 2020 09:27:20 +0100
+
python-pysaml2 (4.5.0-4) unstable; urgency=medium
* CVE-2017-1000246: Reuse of AES initialization vector in AESCipher /
diff -Nru
python-pysaml2-4.5.0/debian/patches/CVE-2020-5390_Fix_XML_Signature_Wrapping_XSW_vulnerabilities.patch
python-pysaml2-4.5.0/debian/patches/CVE-2020-5390_Fix_XML_Signature_Wrapping_XSW_vulnerabilities.patch
---
python-pysaml2-4.5.0/debian/patches/CVE-2020-5390_Fix_XML_Signature_Wrapping_XSW_vulnerabilities.patch
1970-01-01 01:00:00.000000000 +0100
+++
python-pysaml2-4.5.0/debian/patches/CVE-2020-5390_Fix_XML_Signature_Wrapping_XSW_vulnerabilities.patch
2020-02-07 09:27:20.000000000 +0100
@@ -0,0 +1,180 @@
+Author: Ivan Kanakarakis <ivan.ka...@gmail.com>
+Date: Sat, 4 Jan 2020 00:39:47 +0200
+Subject: CVE-2020-5390: Fix XML Signature Wrapping (XSW) vulnerabilities
+ PySAML2 did not check that the signature in a SAML document is enveloped and
thus
+ XML signature wrapping (XSW) was effective.
+ .
+ The signature information and the node/object that is signed can be in
different places
+ and thus the signature verification will succeed, but the wrong data will be
used. This
+ specifically affects the verification of assertions that have been signed.
+ .
+ This was assigned CVE-2020-5390
+ .
+ Thanks to Alexey Sintsov and Yuri Goltsev from HERE Technologies to report
this.
+ .
+ + + + + + + + +
+ .
+ In more detail:
+ .
+ libxml2 follows the xmldsig-core specification. The xmldsig specification is
way too
+ general. saml-core reuses the xmldsig specification, but constrains it to use
of
+ specific facilities. The implementation of the SAML specification is
responsible to
+ enforce those constraints. libxml2/xmlsec1 are not aware of those constraints
and thus
+ process the document based on the full/general xmldsig rules.
+ .
+ What is happening is the following:
+ .
+ - xmldsig-core allows the signature-information and the data that was signed
to be in
+ different places. This works by setting the URI attribute of the Reference
element.
+ The URI attribute contains an optional identifier of the object being
signed. (see
+ "4.4.3 The Reference Element" --
https://www.w3.org/TR/xmldsig-core1/#sec-Reference)
+ This identifier is actually a pointer that can be defined in many different
ways; from
+ XPath expressions that need to be executed(!), to a full URL that should be
fetched(!)
+ in order to recalculate the signature.
+ .
+ - saml-core section "5.4 XML Signature Profile" defines constrains on the
xmldsig-core
+ facilities. It explicitly dictates that enveloped signatures are the only
signatures
+ allowed. This mean that:
+ * Assertion/RequestType/ResponseType elements must have an ID attribute
+ * signatures must have a single Reference element
+ * the Reference element must have a URI attribute
+ * the URI attribute contains an anchor
+ * the anchor points to the enclosing element's ID attribute
+ .
+ xmlsec1 does the right thing - it follows the reference URI pointer and
validates the
+ assertion. But, the pointer points to an assertion in another part of the
document; not
+ the assertion in which the signature is embedded/enveloped. SAML processing
thinks that
+ the signature is fine (that's what xmlsec1 said), and gets the assertion data
from the
+ assertion that contains the signature - but that assertion was never
validated. The
+ issue is that pysaml2 does not enforce the constrains on the signature
validation
+ facilities of xmldsig-core, that the saml-core spec defines.
+ .
+ The solution is simple; all we need is to make sure that assertions with
signatures (1)
+ contain one reference element that (2) has a URI attribute (3) that is an
anchor that
+ (4) points to the assertion in which the signature is embedded. If those
conditions are
+ met then we're good, otherwise we should fail the verification.
+Signed-off-by: Ivan Kanakarakis <ivan.ka...@gmail.com>
+Origin: upstream,
https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25.patch
+Bug-Debian: https://bugs.debian.org/949322
+Last-Update: 2020-02-07
+
+Index: python-pysaml2/src/saml2/sigver.py
+===================================================================
+--- python-pysaml2.orig/src/saml2/sigver.py
++++ python-pysaml2/src/saml2/sigver.py
+@@ -1527,6 +1527,55 @@ class SecurityContext(object):
+
+ # print(certs)
+
++ # saml-core section "5.4 XML Signature Profile" defines constrains on
the
++ # xmldsig-core facilities. It explicitly dictates that enveloped
signatures
++ # are the only signatures allowed. This mean that:
++ # * Assertion/RequestType/ResponseType elements must have an ID
attribute
++ # * signatures must have a single Reference element
++ # * the Reference element must have a URI attribute
++ # * the URI attribute contains an anchor
++ # * the anchor points to the enclosing element's ID attribute
++ references = item.signature.signed_info.reference
++ signatures_must_have_a_single_reference_element = len(references) == 1
++ the_Reference_element_must_have_a_URI_attribute = (
++ signatures_must_have_a_single_reference_element
++ and hasattr(references[0], "uri")
++ )
++ the_URI_attribute_contains_an_anchor = (
++ the_Reference_element_must_have_a_URI_attribute
++ and references[0].uri.startswith("#")
++ and len(references[0].uri) > 1
++ )
++ the_anchor_points_to_the_enclosing_element_ID_attribute = (
++ the_URI_attribute_contains_an_anchor
++ and references[0].uri == "#{id}".format(id=item.id)
++ )
++ validators = {
++ "signatures must have a single reference element": (
++ signatures_must_have_a_single_reference_element
++ ),
++ "the Reference element must have a URI attribute": (
++ the_Reference_element_must_have_a_URI_attribute
++ ),
++ "the URI attribute contains an anchor": (
++ the_URI_attribute_contains_an_anchor
++ ),
++ "the anchor points to the enclosing element ID attribute": (
++ the_anchor_points_to_the_enclosing_element_ID_attribute
++ ),
++ }
++ if not all(validators.values()):
++ error_context = {
++ "message": "Signature failed to meet constraints on xmldsig",
++ "validators": validators,
++ "item ID": item.id,
++ "reference URI": item.signature.signed_info.reference[0].uri,
++ "issuer": _issuer,
++ "node name": node_name,
++ "xml document": decoded_xml,
++ }
++ raise SignatureError(error_context)
++
+ verified = False
+ last_pem_file = None
+ for _, pem_file in certs:
+Index: python-pysaml2/tests/saml2_response_xsw.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2/tests/saml2_response_xsw.xml
+@@ -0,0 +1,6 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
Destination="http://lingon.catalogix.se:8087/"; ID="id-vqOQ72JCppXaBWnBE"
InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z"
Version="2.0"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion
ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z"
Version="2.0"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature
Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference
URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier=""
SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData
InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z"
Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions
NotBefore="2019-12-20T12:15:16Z"
NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement
AuthnInstant="2019-12-20T12:15:16Z"
SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute
FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">ADMIN</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">hac...@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="givenName" Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="surName" Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="title" Name="urn:oid:2.5.4.12"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
++<XSW_ATTACK>
++<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z"
Version="2.0"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier=""
SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData
InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z"
Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions
NotBefore="2019-12-20T12:15:16Z"
NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement
AuthnInstant="2019-12-20T12:15:16Z"
SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute
FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">f...@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="givenName" Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="surName" Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute
FriendlyName="title" Name="urn:oid:2.5.4.12"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
++</XSW_ATTACK>
++</ns0:Response>
+Index: python-pysaml2/tests/test_xsw.py
+===================================================================
+--- /dev/null
++++ python-pysaml2/tests/test_xsw.py
+@@ -0,0 +1,44 @@
++from datetime import datetime
++from unittest.mock import Mock
++from unittest.mock import patch
++
++from saml2.config import config_factory
++from saml2.response import authn_response
++from saml2.sigver import SignatureError
++
++from dateutil import parser
++
++from pytest import raises
++
++from pathutils import dotname
++from pathutils import full_path
++
++
++XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
++
++
++class TestAuthnResponse:
++ def setup_class(self):
++ self.conf = config_factory("sp", dotname("server_conf"))
++ self.ar = authn_response(self.conf,
"http://lingon.catalogix.se:8087/";)
++
++ @patch('saml2.response.validate_on_or_after', return_value=True)
++ def test_verify_signed_xsw(self, mock_validate_on_or_after):
++ self.ar.issue_instant_ok = Mock(return_value=True)
++
++ with open(XML_RESPONSE_XSW) as fp:
++ xml_response = fp.read()
++
++ self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
++ self.ar.timeslack = 10000
++ self.ar.loads(xml_response, decode=False)
++
++ assert self.ar.came_from == 'http://localhost:8088/sso'
++ assert self.ar.session_id() == "id12"
++ assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
++
++ with raises(SignatureError):
++ self.ar.verify()
++
++ assert self.ar.ava is None
++ assert self.ar.name_id is None
diff -Nru python-pysaml2-4.5.0/debian/patches/fix-importing-mock-in-py2.7.patch
python-pysaml2-4.5.0/debian/patches/fix-importing-mock-in-py2.7.patch
--- python-pysaml2-4.5.0/debian/patches/fix-importing-mock-in-py2.7.patch
1970-01-01 01:00:00.000000000 +0100
+++ python-pysaml2-4.5.0/debian/patches/fix-importing-mock-in-py2.7.patch
2020-02-07 09:27:20.000000000 +0100
@@ -0,0 +1,20 @@
+Description: Fix importing Mock in python 2.7
+Author: Thomas Goirand <z...@debian.org>
+Forwarded: no
+Last-Update: 2020-02-07
+
+--- python-pysaml2-4.5.0.orig/tests/test_xsw.py
++++ python-pysaml2-4.5.0/tests/test_xsw.py
+@@ -1,6 +1,10 @@
+ from datetime import datetime
+-from unittest.mock import Mock
+-from unittest.mock import patch
++try:
++ from unittest.mock import Mock
++ from unittest.mock import patch
++except ImportError:
++ from mock import Mock
++ from mock import patch
+
+ from saml2.config import config_factory
+ from saml2.response import authn_response
diff -Nru python-pysaml2-4.5.0/debian/patches/remove-broken-test.patch
python-pysaml2-4.5.0/debian/patches/remove-broken-test.patch
--- python-pysaml2-4.5.0/debian/patches/remove-broken-test.patch
1970-01-01 01:00:00.000000000 +0100
+++ python-pysaml2-4.5.0/debian/patches/remove-broken-test.patch
2020-02-07 09:27:20.000000000 +0100
@@ -0,0 +1,63 @@
+Description: remove broken test
+ This test fails after 2020-11-28, and this date is included in the Buster
+ lifecycle, so I'm just removing the test.
+Author: Thomas Goirand <z...@debian.org>
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/949227
+Last-Date: 2020-02-07
+
+--- a/tests/test_82_pefim.py 2018-09-03 17:04:58.481414586 +0200
++++ /dev/null 2020-02-05 09:40:05.691999664 +0100
+@@ -1,52 +0,0 @@
+-from saml2 import xmldsig as ds
+-from saml2 import config
+-from saml2 import extension_elements_to_elements
+-from saml2 import element_to_extension_element
+-from saml2 import saml
+-from saml2.client import Saml2Client
+-from saml2.extension import pefim
+-from saml2.extension.pefim import SPCertEnc
+-from saml2.samlp import Extensions
+-from saml2.samlp import authn_request_from_string
+-from saml2.sigver import read_cert_from_file
+-from pathutils import full_path
+-
+-__author__ = 'roland'
+-
+-conf = config.SPConfig()
+-conf.load_file("server_conf")
+-client = Saml2Client(conf)
+-
+-# place a certificate in an authn request
+-cert = read_cert_from_file(full_path("test.pem"), "pem")
+-
+-spcertenc = SPCertEnc(
+- x509_data=ds.X509Data(
+- x509_certificate=ds.X509Certificate(text=cert)))
+-
+-extensions = Extensions(
+- extension_elements=[element_to_extension_element(spcertenc)])
+-
+-req_id, req = client.create_authn_request(
+- "http://www.example.com/sso";,
+- "urn:mace:example.com:it:tek",
+- nameid_format=saml.NAMEID_FORMAT_PERSISTENT,
+- message_id="666",
+- extensions=extensions)
+-
+-
+-print(req)
+-
+-# Get a certificate from an authn request
+-
+-xml = "%s" % req
+-
+-parsed = authn_request_from_string(xml)
+-
+-_elem = extension_elements_to_elements(parsed.extensions.extension_elements,
+- [pefim, ds])
+-
+-assert len(_elem) == 1
+-_spcertenc = _elem[0]
+-_cert = _spcertenc.key_info[0].x509_data[0].x509_certificate.text
+-assert cert == _cert
diff -Nru python-pysaml2-4.5.0/debian/patches/series
python-pysaml2-4.5.0/debian/patches/series
--- python-pysaml2-4.5.0/debian/patches/series 2018-09-07 11:54:53.000000000
+0200
+++ python-pysaml2-4.5.0/debian/patches/series 2020-02-07 09:27:20.000000000
+0100
@@ -2,3 +2,6 @@
remove-network-access-test.patch
removed_failing_test_enc1.patch
CVE-2017-1000246_Always_generate_a_random_IV_for_AES_operations.patch
+CVE-2020-5390_Fix_XML_Signature_Wrapping_XSW_vulnerabilities.patch
+remove-broken-test.patch
+fix-importing-mock-in-py2.7.patch
