[Bug 2103420] Re: Security issue with libsaml12
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: opensaml2 (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Changed in: opensaml (Ubuntu Oracular) Status: New => In Progress ** Changed in: opensaml (Ubuntu Oracular) Assignee: (unassigned) => John Breton (john-breton) ** Changed in: opensaml (Ubuntu Noble) Status: New => In Progress ** Changed in: opensaml (Ubuntu Noble) Assignee: (unassigned) => John Breton (john-breton) ** Changed in: opensaml (Ubuntu Jammy) Status: New => In Progress ** Changed in: opensaml (Ubuntu Jammy) Assignee: (unassigned) => John Breton (john-breton) ** Changed in: opensaml (Ubuntu Focal) Status: New => In Progress ** Changed in: opensaml (Ubuntu Focal) Assignee: (unassigned) => John Breton (john-breton) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Just to provide an update, we are tentatively targeting Monday, March 24th as the release date for the OpenSAML and OpenSAML2 updates. We appreciate your patience and will provide further updates once the releases are fully published. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: opensaml2 (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
We have published a USN for this issue: https://ubuntu.com/security/notices/USN-7364-1 We recommend upgrading to the latest available version. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
I've attempted to make a debdiff for this (targeting noble) that is attached here. Note this is essentially the patch from the debian bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100464#29) but with a different changelog entry (to target the correct package version, and to (I hope) match the ubuntu style). ** Bug watch added: Debian Bug tracker #1100464 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100464 ** Patch added: "debdiff for noble" https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+attachment/5865854/+files/opensaml.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Changed in: opensaml (Ubuntu Plucky) Status: Fix Committed => Fix Released ** Changed in: opensaml (Ubuntu Plucky) Assignee: John Breton (john-breton) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
We appreciate your patience on this issue thus far. Fixes have been released for OpenSAML2 on Xenial and Bionic and for OpenSAML on Focal, Jammy, Noble, and Oracular. We will provide another update once a fix has been released for Plucky. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Changed in: opensaml (Ubuntu Oracular) Assignee: John Breton (john-breton) => (unassigned) ** Changed in: opensaml (Ubuntu Noble) Assignee: John Breton (john-breton) => (unassigned) ** Changed in: opensaml (Ubuntu Jammy) Assignee: John Breton (john-breton) => (unassigned) ** Changed in: opensaml (Ubuntu Focal) Assignee: John Breton (john-breton) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
This bug was fixed in the package opensaml - 3.2.1-1ubuntu0.1 --- opensaml (3.2.1-1ubuntu0.1) jammy-security; urgency=medium * SECURITY UPDATE: CPPOST-126 - Simple signature verification fails to detect parameter smuggling (LP: #2103420) - debian/patches/lp2103420-forging.patch: address parameter smuggling. Patch from upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee, thanks to Scott Cantor - No CVE number -- Tom Andrew Tue, 18 Mar 2025 16:24:50 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
This bug was fixed in the package opensaml - 3.2.1-4.1ubuntu0.24.10.1 --- opensaml (3.2.1-4.1ubuntu0.24.10.1) oracular-security; urgency=medium * SECURITY UPDATE: CPPOST-126 - Simple signature verification fails to detect parameter smuggling (LP: #2103420) - debian/patches/lp2103420-forging.patch: address parameter smuggling. Patch from upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee, thanks to Scott Cantor - No CVE number -- Tom Andrew Tue, 18 Mar 2025 16:24:50 + ** Changed in: opensaml (Ubuntu Oracular) Status: Fix Committed => Fix Released ** Changed in: opensaml (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Changed in: opensaml2 (Ubuntu Xenial) Status: Fix Committed => Fix Released ** Changed in: opensaml2 (Ubuntu Xenial) Assignee: John Breton (john-breton) => (unassigned) ** Changed in: opensaml2 (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: opensaml2 (Ubuntu Bionic) Assignee: John Breton (john-breton) => (unassigned) ** Changed in: opensaml2 (Ubuntu) Status: Fix Committed => Fix Released ** Changed in: opensaml2 (Ubuntu) Assignee: John Breton (john-breton) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: opensaml2 (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
This bug was fixed in the package opensaml - 3.0.1-1ubuntu0.1 --- opensaml (3.0.1-1ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: CPPOST-126 - Simple signature verification fails to detect parameter smuggling (LP: #2103420) - debian/patches/lp2103420-forging.patch: address parameter smuggling. Patch from upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee, thanks to Scott Cantor - No CVE number -- Tom Andrew Tue, 18 Mar 2025 16:24:50 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
This bug was fixed in the package opensaml - 3.2.1-4.1ubuntu0.24.04.1 --- opensaml (3.2.1-4.1ubuntu0.24.04.1) noble-security; urgency=medium * SECURITY UPDATE: CPPOST-126 - Simple signature verification fails to detect parameter smuggling (LP: #2103420) - debian/patches/lp2103420-forging.patch: address parameter smuggling. Patch from upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee, thanks to Scott Cantor - No CVE number -- Tom Andrew Tue, 18 Mar 2025 16:24:50 + ** Changed in: opensaml (Ubuntu Noble) Status: Fix Committed => Fix Released ** Changed in: opensaml (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Changed in: opensaml2 (Ubuntu Trusty) Status: In Progress => Invalid ** Changed in: opensaml2 (Ubuntu) Status: In Progress => Fix Committed ** Changed in: opensaml2 (Ubuntu Trusty) Assignee: John Breton (john-breton) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Fixes for Xenial, Bionic, Focal, Jammy, Noble, Oracular, and Plucky have been committed and are currently being built. They are pending publication. ** Changed in: opensaml2 (Ubuntu Xenial) Status: In Progress => Fix Committed ** Changed in: opensaml2 (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: opensaml (Ubuntu Plucky) Status: In Progress => Fix Committed ** Changed in: opensaml (Ubuntu Oracular) Status: In Progress => Fix Committed ** Changed in: opensaml (Ubuntu Noble) Status: In Progress => Fix Committed ** Changed in: opensaml (Ubuntu Jammy) Status: In Progress => Fix Committed ** Changed in: opensaml (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Changed in: opensaml2 (Ubuntu Bionic) Status: Confirmed => In Progress ** Changed in: opensaml2 (Ubuntu Bionic) Assignee: (unassigned) => John Breton (john-breton) ** Changed in: opensaml2 (Ubuntu Xenial) Status: Confirmed => In Progress ** Changed in: opensaml2 (Ubuntu Xenial) Assignee: (unassigned) => John Breton (john-breton) ** Changed in: opensaml2 (Ubuntu Trusty) Status: Confirmed => In Progress ** Changed in: opensaml2 (Ubuntu Trusty) Assignee: (unassigned) => John Breton (john-breton) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Also affects: opensaml (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: opensaml (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: opensaml (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: opensaml (Ubuntu Plucky) Importance: Undecided Assignee: John Breton (john-breton) Status: In Progress ** Also affects: opensaml2 (Ubuntu Plucky) Importance: Undecided Assignee: John Breton (john-breton) Status: In Progress ** Also affects: opensaml (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: opensaml (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: opensaml (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: opensaml (Ubuntu Oracular) Importance: Undecided Status: New ** Also affects: opensaml2 (Ubuntu Oracular) Importance: Undecided Status: New ** No longer affects: opensaml2 (Ubuntu Focal) ** No longer affects: opensaml2 (Ubuntu Jammy) ** No longer affects: opensaml2 (Ubuntu Plucky) ** No longer affects: opensaml2 (Ubuntu Oracular) ** No longer affects: opensaml2 (Ubuntu Noble) ** No longer affects: opensaml (Ubuntu Trusty) ** No longer affects: opensaml (Ubuntu Xenial) ** No longer affects: opensaml (Ubuntu Bionic) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Also affects: opensaml2 (Ubuntu) Importance: Undecided Status: New ** Changed in: opensaml2 (Ubuntu) Status: New => In Progress ** Changed in: opensaml2 (Ubuntu) Assignee: (unassigned) => John Breton (john-breton) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Hi, thank you for the initial report and an additional thanks for providing a debdiff for Noble. A fix for affected releases is in progress. Once we have further updates we will share them here. ** Changed in: opensaml (Ubuntu) Assignee: (unassigned) => John Breton (john-breton) ** Changed in: opensaml (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
The attachment "debdiff for noble" seems to be a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: opensaml (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
** Package changed: ubuntu => opensaml (Ubuntu) ** Changed in: opensaml (Ubuntu) Status: Confirmed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2103420] Re: Security issue with libsaml12
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ubuntu Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2103420 Title: Security issue with libsaml12 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
