Your message dated Sat, 10 May 2025 07:34:17 +0000
with message-id <e1udeiv-00bgbz...@fasolo.debian.org>
and subject line Bug#1100595: fixed in simplesamlphp 1.19.7-2
has caused the Debian Bug report #1100595,
regarding simplesamlphp: CVE-2025-27773
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: simplesamlphp
Version: 1.19.7-1+deb12u1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for simplesamlphp.
CVE-2025-27773[0]:
| The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related
| functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is
| a signature confusion attack in the HTTPRedirect binding. An
| attacker with any signed SAMLResponse via the HTTP-Redirect binding
| can cause the application to accept an unsigned message. Versions
| 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27773
https://www.cve.org/CVERecord?id=CVE-2025-27773
[1]
https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
[2]
https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: simplesamlphp
Source-Version: 1.19.7-2
Done: Tobias Frost <t...@debian.org>
We believe that the bug you reported is fixed in the latest version of
simplesamlphp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <t...@debian.org> (supplier of updated simplesamlphp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 May 2025 09:04:37 +0200
Source: simplesamlphp
Architecture: source
Version: 1.19.7-2
Distribution: unstable
Urgency: medium
Maintainer: Thijs Kinkhorst <th...@debian.org>
Changed-By: Tobias Frost <t...@debian.org>
Closes: 1100595
Changes:
simplesamlphp (1.19.7-2) unstable; urgency=medium
.
* Team upload.
* Fix CVE-2025-27773 (Closes: #1100595)
Checksums-Sha1:
f0bea00e99555055eae780cf76eeb98abc35c0be 1881 simplesamlphp_1.19.7-2.dsc
c71445d704ad1dcf2abb36c78b4df407aaa18e5c 2784716
simplesamlphp_1.19.7-2.debian.tar.xz
6e85bd0517fa1bb45eb72e957a002a9dee59fb04 5790
simplesamlphp_1.19.7-2_amd64.buildinfo
Checksums-Sha256:
2e4307204f7f9e4227156241318396e2fa40fc200e16d7bcd19bd65b974da0bc 1881
simplesamlphp_1.19.7-2.dsc
428634cb0820e3ca26ca43ef3ab8c1515cf6ddadba77f3d8dd65a83b0d959298 2784716
simplesamlphp_1.19.7-2.debian.tar.xz
2b697cdd020e0b6539ee07f745d58ff881318c148f2aab62d950845a3d661412 5790
simplesamlphp_1.19.7-2_amd64.buildinfo
Files:
0b269e37ca47b861cdc835d68098131f 1881 web optional simplesamlphp_1.19.7-2.dsc
4a5cb789a0caaa553d12bbff8c8a4447 2784716 web optional
simplesamlphp_1.19.7-2.debian.tar.xz
300b43e6a4cb7b4fc1ca32481e8b743b 5790 web optional
simplesamlphp_1.19.7-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmge/XIACgkQkWT6HRe9
XTbzOxAAjK4xI6/Z62oPeT0eR5LMMY28IJ1UiKL3LJ76aU2JqWAQVaaEMapUU1Kh
gyn5Ejexws/h3kY33W27/olIzCf5lqeqnLjkejGexTnlATFjp1ZFY1dIXHf3Yfu8
oanLYd2hVPi6u8b4NFVKQfyVey5jkY4/Tvn0aPCOn93HJUq4yX8wCxT6ONec+LTj
5re5pOJ5ZEo433uRHquPVH6HeJxZwriw4u6BDA98+UB/3PJxGtzPzUl9SRlVs7aT
dKpJt2erQ/RxmcuYTTsqy1/FoR+Tsgi4vf6ECbzRWy5z9WeWaq1ygplIpeGyGIlN
J41eD8EDB35aVmXunckijH3D70yau9UcMCM2BC0L9F3W9xk+OIkunSBEnYFRw2gB
w5W5CBe1fFkK5GrVznH8GCSwJXDCg1zB/FU9g4PW/wA2Ppk1yz7G6GOi8uPKlWmM
MVdzwfltVOtkE05gpK5Q9nNiwR6SLtduQOoUk2eJtTN2ghGpw3kvWH6qvXdEKeWn
RjIO3qycxiTSzZmrsen5MEWXEZCg4oY2YT/WlOth53/o2iPd/Jo6g+ju8dwv1A4P
CqEZvpGpxdC0lNJMzopFkQtG8YbKy/R7LC2GBe1M6oadTtwGEf5z7MR0iUTsIM+K
HDvKr7XKYX+jgobF+AFNR/VlB41wXmDpjU2FXjTN7ub7yFbQExw=
=4BmB
-----END PGP SIGNATURE-----
pgpexhomxl6Fo.pgp
Description: PGP signature
--- End Message ---
