Your message dated Wed, 07 Dec 2022 17:49:32 +0000 with message-id <e1p2yy0-001gl3...@fasolo.debian.org> and subject line Bug#1025187: fixed in golang-github-crewjam-saml 0.4.10-1 has caused the Debian Bug report #1025187, regarding golang-github-crewjam-saml: CVE-2022-41912: Signature bypass via multiple Assertion elements to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1025187: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025187 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-crewjam-saml Version: 0.4.6-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for golang-github-crewjam-saml. CVE-2022-41912[0]: | The crewjam/saml go library prior to version 0.4.9 is vulnerable to an | authentication bypass when processing SAML responses containing | multiple Assertion elements. This issue has been corrected in version | 0.4.9. There are no workarounds other than upgrading to a fixed | version. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-41912 https://www.cve.org/CVERecord?id=CVE-2022-41912 [1] https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-github-crewjam-saml Source-Version: 0.4.10-1 Done: Thorsten Alteholz <deb...@alteholz.de> We believe that the bug you reported is fixed in the latest version of golang-github-crewjam-saml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1025...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Alteholz <deb...@alteholz.de> (supplier of updated golang-github-crewjam-saml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Dec 2022 12:19:49 +0100 Source: golang-github-crewjam-saml Architecture: source Version: 0.4.10-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Thorsten Alteholz <deb...@alteholz.de> Closes: 1025187 Changes: golang-github-crewjam-saml (0.4.10-1) unstable; urgency=medium . * New upstream release. (Closes: #1025187) Fix for CVE-2022-41912 * according to ratt nothing needs to be rebuild Checksums-Sha1: 9edcb66ec7e61ea8044b35bb863c1157dbc12f36 2804 golang-github-crewjam-saml_0.4.10-1.dsc f4edcac26ba0d871de30bd7874bbad9ab59f515a 305542 golang-github-crewjam-saml_0.4.10.orig.tar.gz 4adc0a8dc05aff1ac387e8f451bc79ba7f0f59ff 2840 golang-github-crewjam-saml_0.4.10-1.debian.tar.xz 0b921b1a1943d8288ba7d04e769a8120cd16cce4 8036 golang-github-crewjam-saml_0.4.10-1_amd64.buildinfo Checksums-Sha256: 20d7c12e9b80eb6d24889eddbd14bcdc4166ab3ac668d20347ed676390470a82 2804 golang-github-crewjam-saml_0.4.10-1.dsc 439e9afabf4bf4792eea28ea6f59413cb29f855df3b1d77afc03f78e5fddbde6 305542 golang-github-crewjam-saml_0.4.10.orig.tar.gz 530865e1f379bc0f4402a867b217aab96cd4b762f07a30fd2fb3d36972276e87 2840 golang-github-crewjam-saml_0.4.10-1.debian.tar.xz e8546fdc70005e921cf9b2ce80481f5bd5878df814f80694be106958a1418257 8036 golang-github-crewjam-saml_0.4.10-1_amd64.buildinfo Files: f2b3d40a5138410fed3fa9e0dc60525e 2804 devel optional golang-github-crewjam-saml_0.4.10-1.dsc aaecef2f93ecd774152e937a599c8a32 305542 devel optional golang-github-crewjam-saml_0.4.10.orig.tar.gz 147caf14886b6aca952a69e0a9d3c94a 2840 devel optional golang-github-crewjam-saml_0.4.10-1.debian.tar.xz 95715d139d3bd44b6bbfbfcef8385e02 8036 devel optional golang-github-crewjam-saml_0.4.10-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmOQzn9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYR/yHEACuXjSuRS3yX7sIOGfvcJkHsUGoNLcg T8w8CKETYoVB5nrqCKNKh8J4wNLNA0pftAmuSSPlWs7Jnu1mBdfK0STGgmv1K/mU ydpDQrNvbilExvh0SZGYnMpxXxE0FwpIohI++bPKOanKUEkKO0WPgp85qovjiJf2 uqOw8klGmq5vH5X8GOvplVdMTMVPHpZf/iIgH9zdRUi3orOywfnufoNjKarnellt 5PhGu44pmJl3Blkdik2L+lhS/3kCOWjAouUwnXQG7T7hfbaESLrsG649HBWeWPM6 650/xRss0c39CPT04QursE+9X517gZKqZIm6uk8rSxTnErYZFLRxFO9U6OaLlGqS +Yt3Fc40V4HbxlQGMyGS/G1gN7OjqaTARx05Bj48qc8gUOOgjp1gptx8WRIt1LBU hKT0vz8aMelSsXsnfsFIUJ1wRQEu5Qup5QfrtRklkD3BsX3vr9KM3i9FFqGOQtr3 b9KL3EuQBU1Jic5bjY9Xj0VFsxcHLGXaiXRBfZwzDvxqaiJ02R/WTL8809aiXmrP cs89pYHR/Pb9pnuZJvQf3FnxGPS6h2s0sHeQ62KwOU7+1AflvqzR5a7Sf0kX2ZdN 6ORm0axEDbeyN59us6GInVSUWvH+mDsk9h+wnqC3VRqKhBTij2Zn+0moX58yjOgh lZCUFUWrysWQ5Q== =38Rb -----END PGP SIGNATURE-----
--- End Message ---
