Your message dated Wed, 03 Feb 2021 13:06:22 +0000 with message-id <e1l7hrs-000dqz...@fasolo.debian.org> and subject line Bug#980772: fixed in python-pysaml2 6.5.1-1 has caused the Debian Bug report #980772, regarding python-pysaml2: CVE-2021-21239: Unspecified xmlsec1 key-type preference to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 980772: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980772 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-pysaml2 Version: 6.1.0-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for python-pysaml2. CVE-2021-21239[0]: | PySAML2 is a pure python implementation of SAML Version 2 Standard. | PySAML2 before 6.5.0 has an improper verification of cryptographic | signature vulnerability. Users of pysaml2 that use the default | CryptoBackendXmlSec1 backend and need to verify signed SAML documents | are impacted. PySAML2 does not ensure that a signed SAML document is | correctly signed. The default CryptoBackendXmlSec1 backend is using | the xmlsec1 binary to verify the signature of signed SAML documents, | but by default xmlsec1 accepts any type of key found within the given | document. xmlsec1 needs to be configured explicitly to only use only | _x509 certificates_ for the verification process of the SAML document | signature. This is fixed in PySAML2 6.5.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21239 [1] https://github.com/IdentityPython/pysaml2/commit/751dbf50a51131b13d55989395f9b115045f9737 [2] https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-pysaml2 Source-Version: 6.5.1-1 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of python-pysaml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 980...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated python-pysaml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 03 Feb 2021 12:41:36 +0100 Source: python-pysaml2 Architecture: source Version: 6.5.1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 980772 980773 Changes: python-pysaml2 (6.5.1-1) unstable; urgency=medium . * New upstream release. - Fix CVE-2021-21238 and CVE-2021-21239 (Closes: #980772, #980773). * Update patches to match new upstream release. * Add python3-importlib-resources and python3-xmlschema as (build-)depends. * Reworked python3.9-use-encodebytes-not-encodestring.patch. Checksums-Sha1: 636afd201fd1b5812191836aca0966a8a6584a68 2619 python-pysaml2_6.5.1-1.dsc 71aa7a915949a6f24f09518ad32c001b0f1870b1 3962132 python-pysaml2_6.5.1.orig.tar.xz e44e89f5d7d02f78f34dd06f30c92d8845fef14e 7760 python-pysaml2_6.5.1-1.debian.tar.xz 110b40d081633b4b782c8db21b9a5b523288faa8 8986 python-pysaml2_6.5.1-1_amd64.buildinfo Checksums-Sha256: 0f1a7b57eab819f52a433864a84844a64d6f68e9278072630a7fd571f7fc2f47 2619 python-pysaml2_6.5.1-1.dsc 7afdbc5e8c41a265564e3fb37f8b7c6a01c2aacb61ac868d9b31ed1bd0ac82af 3962132 python-pysaml2_6.5.1.orig.tar.xz 4b5141bd8afc551c5b112c484259cecff0a02ed46ff6af82ce4ad970d07a52ca 7760 python-pysaml2_6.5.1-1.debian.tar.xz 1bfa6252140dd433c5a02fb8e46d31d1a171541a72bc94f44775771b006a5457 8986 python-pysaml2_6.5.1-1_amd64.buildinfo Files: df963b7f6cc0b69043da5059a12bb2c1 2619 python optional python-pysaml2_6.5.1-1.dsc b2d9d12f682d6556712f119d2cd0e1f8 3962132 python optional python-pysaml2_6.5.1.orig.tar.xz 7cd5858374a51a3c0785215c798d1605 7760 python optional python-pysaml2_6.5.1-1.debian.tar.xz f3d994dabba3e0eee09a0772771d89d9 8986 python optional python-pysaml2_6.5.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmAanMUACgkQ1BatFaxr Q/5ruA//c5YixzYKUc1uzMhHOdlCeqm6G/LDyj0nqJgIizUGFArKePVkkQIqX/om SyWJ78CbN4HWUUh9JbOJl3+Tx95um94qYE7oDfvJ9/fZEelR9Ov5W4YGc2PCSypq sXf8apWbk8Y7Pdq2oLihrRmy79kV06g4s6JAG9PdaVoB8RShZ8OXJmbg9CfT3GAy xua+0S+QCn9BBy+y/WJ0PdknZmuEQBEhRueaMsAmyjC/ywI0lmgBtGzeA4zSpyw8 KX+M0kDITSG3ChNWirXK08d1tDfI784YknMT+AOwR7n0ItXxHrvKrfhURQ0deNL8 16lzOLuiiCY2stiKS6lRqn3PximprkAbGub1whwlqCCLv9tQKs58aGLDDo0N6gu1 m82zk4U7TMmzgApvRCBeGYi8xu7UNXieT+d+VhlACVYUAAF+JWi90+/3O9Ikbi/k lcpVN3LoDHTjrrKGIU5IwK4YT5HheLF5HabKtUruy504A2QdTeiBD5i5nZ0wfLKw vPXCwRNMIXnFrKXmxMhWNjyxnlODljfG7bBlgR1kAOoyZLwXdv/02RNpjPt+HBy/ vHb0bfGNYctMxkIlwVufq1bbIx9UtO+HDISc3KfAjbqRYiE8gj7aFzKHhYbcKxxb K1DIA9deuMaYEjTjXLRRyPyPGxGL4cR8m7E86l4+HPTJle4SXhk= =kctY -----END PGP SIGNATURE-----
--- End Message ---
