Bug#780383: libopensaml2-java: CVE-2015-1796
tony mancill
tmancill at debian.org
Fri Apr 10 05:44:20 UTC 2015
On Fri, 13 Mar 2015 16:31:02 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Hi Emmanuel,
>
> Thanks for the quick feedback.
>
> On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote:
> > Hi Salvatore,
> >
> > Thank you for the report. Looking at the commit r1680 mentioned on the
> > security tracker I fail to see how it addresses the vulnerability
> > described. I suspect this is actually a vulnerability in a dependency
> > shared by opensaml and idp (maybe xmltooling which contains the
> > PKIXValidationInformationResolver class, or shib-common with a recent
> > commit referring to the same SIDP-624 issue [1]).
>
> Note the commit reference was added by me, while searching to isolate
> were the problem lies, i.e. searching for relevant commits between tag
> 2.6.4 and 2.6.5. I don't understand though libopensaml2-java well
> enough. Upstream advisory just say:
>
> Affected Versions
> =================
>
> Versions of OpenSAML Java < 2.6.5
> [...]
> OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX
> trust engines are in use. PKIX trust engine implementations in this
> version will fail a candidate credential if no trusted names are
> resolved for the relevant entityID; the existing PKIX resolver
> implementations now also automatically treat the target entityID as an
> implicit trusted name. If this is not feasible, ensure that ALL entity
> data resolved via instances of PKIXValidationInformationResolver have
> at least 1 trusted name which is resolveable. For resolvers based on
> SAML metadata, see IdP recommendations below.
> [...]
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1196619
>
> and
>
> https://bugzilla.novell.com/show_bug.cgi?id=922199
>
> both don't give much more information.
I agree with Emmanuel in that I don't see how the change in 2.6.5
addresses the reported vulnerability.
But I also don't understand the code well enough to say for sure what we
should cherry-pick, but ignoring the timer change in 2.6.5, the only
really substantive change I see between 2.6.2 and 2.6.5 came in 2.6.3:
> http://svn.shibboleth.net/view/java-opensaml2?view=revision&revision=1670
Perhaps the following verbiage is related to the CVE, and the suggestion
to upgrade to > 2.6.4 isn't as constrained or precise as it could be?
> https://wiki.shibboleth.net/confluence/display/SHIB2/PKIXTrustEngine#PKIXTrustEngine-KnownIssues
In any event, the changes between 2.6.2 and 2.6.5 don't seem that
extensive. Should we prepare a 2.6.5 package and ask the Security and
Release teams for guidance?
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150409/8c205dc5/attachment.sig>
More information about the pkg-java-maintainers
mailing list