Your message dated Sat, 31 May 2025 21:32:18 +0000
with message-id <e1ultoq-000yzv...@fasolo.debian.org>
and subject line Bug#1100595: fixed in simplesamlphp 1.19.7-1+deb12u2
has caused the Debian Bug report #1100595,
regarding simplesamlphp: CVE-2025-27773
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: simplesamlphp
Version: 1.19.7-1+deb12u1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for simplesamlphp.
CVE-2025-27773[0]:
| The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related
| functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is
| a signature confusion attack in the HTTPRedirect binding. An
| attacker with any signed SAMLResponse via the HTTP-Redirect binding
| can cause the application to accept an unsigned message. Versions
| 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27773
https://www.cve.org/CVERecord?id=CVE-2025-27773
[1]
https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
[2]
https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: simplesamlphp
Source-Version: 1.19.7-1+deb12u2
Done: Tobias Frost <t...@debian.org>
We believe that the bug you reported is fixed in the latest version of
simplesamlphp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <t...@debian.org> (supplier of updated simplesamlphp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 11 May 2025 08:35:04 +0200
Source: simplesamlphp
Architecture: source
Version: 1.19.7-1+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Thijs Kinkhorst <th...@debian.org>
Changed-By: Tobias Frost <t...@debian.org>
Closes: 1100595
Changes:
simplesamlphp (1.19.7-1+deb12u2) bookworm; urgency=medium
.
* Team upload for stable proposed updates.
* Fix CVE-2025-27773 (Closes: #1100595)
Checksums-Sha1:
ca31c17670fb5b519bb533af1b08a9f4459e144c 1913
simplesamlphp_1.19.7-1+deb12u2.dsc
9ff667a9d791fe41fec46062f213919544379db4 2784732
simplesamlphp_1.19.7-1+deb12u2.debian.tar.xz
d005d81484ce2da966b7edb9901ba91716e6e9f8 6043
simplesamlphp_1.19.7-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
3b04ada4ffe389ef3acb79d6d4b5d135318c285d2beed9f0bfad787e84bb687c 1913
simplesamlphp_1.19.7-1+deb12u2.dsc
0135f36a95d025abda7c2fbf75a9f2a501fbfd968f687d90c6b42f1b63a14b21 2784732
simplesamlphp_1.19.7-1+deb12u2.debian.tar.xz
eb0967f156b26e19ac52d33e2137e7d7afccdf172808c3e00a692eabe108850b 6043
simplesamlphp_1.19.7-1+deb12u2_amd64.buildinfo
Files:
5ee8701266adb4283040ee776e324730 1913 web optional
simplesamlphp_1.19.7-1+deb12u2.dsc
f61eca622cbb06237e666aeee66c1fbd 2784732 web optional
simplesamlphp_1.19.7-1+deb12u2.debian.tar.xz
d5ebfd25ef07fc4a3db4c99fd5ed8cf6 6043 web optional
simplesamlphp_1.19.7-1+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmggrx8ACgkQkWT6HRe9
XTYVrg//dXv7GVrg0hyz/VxAqb7FqJ4bx4Sp1+0eVH9fQLJtU02ABmPQf0RfeUpD
la7MzoRT6jieY8/XHP0a1fvs/Zad5YxqqKxpkAVsvXGgtJA00Imk3N+NEiHtfZ49
loyxfS6hwepO/sI8yIuZJ9IKOo746c8yxr5B2zki7RVErKQ3RYEGwtwCBQz1vfDQ
ixLf7Jz5YDDF6j4WS0uPPGba7M9bxYpBUe361qjHtDBYmPdBIAP/9Bn7q+5cetdv
/edThhD3SL3haGItWsyHeMEX37w41LHuQd/ODCRkHtrc2jKZRi2vJOoGi79nEEMj
iqDnye/zRkx8fBaYRrMGEIWPvkzxBNrEULaURpA0y0E725jMk9avDuXGXBtetDQ7
Syi/EYnEZrp6lOrhpxg3XYhpPM5Cm/7m6Hu8jN395qbPXq8XiAO52+Ib+Nih/5bA
eRHtRawwB1oeA86SinCuhXM0ze/cww4nxG5YzyoVUJ5uLc4ERk52XWFvk8dPtZ6m
Wo1+YxlvCUbASAJBTtUrO7+/HQg5AXvKTcyZUutShhRRwS+rmYPeLo28SDkaKrK7
bK3FxXNgx/xZYtu8TzeIyZ5dwGwSCe+Dgtw/Qt8mcI8iRNxO6MSk1LybNN6uZBgF
FVEqfukbywjcQtT++/MC9uWXv61QbwQgUpXZ8TW09rorBfANvlA=
=MYQi
-----END PGP SIGNATURE-----
pgpMEfVLcXJWO.pgp
Description: PGP signature
--- End Message ---
