Source: golang-github-crewjam-saml Version: 0.4.12-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-crewjam-saml. Strictly speaking might be disputed if it is RC level, but would be good to have it fixed in bookworm before the release. CVE-2023-28119[0]: | The crewjam/saml go library contains a partial implementation of the | SAML standard in golang. Prior to version 0.4.13, the package's use of | `flate.NewReader` does not limit the size of the input. The user can | pass more than 1 MB of data in the HTTP request to the processing | functions, which will be decompressed server-side using the Deflate | algorithm. Therefore, after repeating the same request multiple times, | it is possible to achieve a reliable crash since the operating system | kills the process. This issue is patched in version 0.4.13. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28119 https://www.cve.org/CVERecord?id=CVE-2023-28119 [1] https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021 [2] https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p Regards, Salvatore