[SCM] Debian branch, master, updated. debian/1.2.2-3-12-g9e17c92
Xavier Guimard
x.guimard at free.fr
Sun Mar 10 06:37:20 UTC 2013
The following commit has been merged in the master branch:
commit 6174e70ef009aadad66abde89ce2cc0832476f53
Author: Xavier Guimard <x.guimard at free.fr>
Date: Sun Mar 10 07:34:11 2013 +0100
Remove SAML security patch now included in upstream
diff --git a/debian/patches/series b/debian/patches/series
index 8032806..10aced8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
change-js-libs-by-shared-packages.patch
-verify-saml-signatures.patch
diff --git a/debian/patches/verify-saml-signatures.patch b/debian/patches/verify-saml-signatures.patch
deleted file mode 100644
index ee61f46..0000000
--- a/debian/patches/verify-saml-signatures.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-Description: Verify SAML signature
- Due to a bad use of Lasso library, SAML signatures are never checked, even if
- we force signature check.
- [CVE-2012-6426]
-Author: Clément OUDOT <coudot at linagora.com>
-Bug: http://jira.ow2.org/browse/LEMONLDAP-570
-Bug-Debian: http://bugs.debian.org/696329
-Forwarded: yes
-Reviewed-By: Xavier Guimard <x.guimard at free.fr>
-Last-Update: 2012-12-19
-
---- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
-+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
-@@ -2241,6 +2241,21 @@
- return $self->checkLassoError($@);
- }
-
-+## @method boolean forceSignatureVerification(Lasso::Profile profile)
-+# Modify Lasso signature hint to force signature verification
-+# @param profile Lasso profile object
-+# @return result
-+sub forceSignatureVerification {
-+ my ( $self, $profile ) = splice @_;
-+
-+ eval {
-+ Lasso::Profile::set_signature_verify_hint( $profile,
-+ Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
-+ };
-+
-+ return $self->checkLassoError($@);
-+}
-+
- ## @method string getAuthnContext(string context)
- # Convert configuration string into SAML2 AuthnContextClassRef string
- # @param context configuration string
-@@ -3232,6 +3247,10 @@
-
- Modify Lasso signature hint to disable signature verification
-
-+=head2 forceSignatureVerification
-+
-+Modify Lasso signature hint to force signature verification
-+
- =head2 getAuthnContext
-
- Convert configuration string into SAML2 AuthnContextClassRef string
---- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
-+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
-@@ -125,7 +125,18 @@
- ->{samlIDPMetaDataOptionsCheckSSOMessageSignature};
-
- if ($checkSSOMessageSignature) {
-- unless ( $self->checkSignatureStatus($login) ) {
-+
-+ $self->forceSignatureVerification($login);
-+
-+ if ($artifact) {
-+ $result = $self->processArtResponseMsg( $login, $response );
-+ }
-+ else {
-+ $result =
-+ $self->processAuthnResponseMsg( $login, $response );
-+ }
-+
-+ unless ($result) {
- $self->lmLog( "Signature is not valid", 'error' );
- return PE_SAML_SIGNATURE_ERROR;
- }
-@@ -404,7 +415,12 @@
- ->{samlIDPMetaDataOptionsCheckSLOMessageSignature};
-
- if ($checkSLOMessageSignature) {
-- unless ( $self->checkSignatureStatus($logout) ) {
-+
-+ $self->forceSignatureVerification($logout);
-+
-+ $result = $self->processLogoutResponseMsg( $logout, $response );
-+
-+ unless ($result) {
- $self->lmLog( "Signature is not valid", 'error' );
- return PE_SAML_SIGNATURE_ERROR;
- }
---- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
-+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
-@@ -150,7 +150,17 @@
- ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
-
- if ($checkSSOMessageSignature) {
-- unless ( $self->checkSignatureStatus($login) ) {
-+
-+ $self->forceSignatureVerification($login);
-+
-+ if ($artifact) {
-+ $result = $self->processArtResponseMsg( $login, $request );
-+ }
-+ else {
-+ $result = $self->processAuthnRequestMsg( $login, $request );
-+ }
-+
-+ unless ($result) {
- $self->lmLog( "Signature is not valid", 'error' );
- return PE_SAML_SIGNATURE_ERROR;
- }
-@@ -277,7 +287,10 @@
- ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
-
- if ($checkSLOMessageSignature) {
-- unless ( $self->checkSignatureStatus($logout) ) {
-+
-+ $self->forceSignatureVerification($logout);
-+
-+ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
- $self->lmLog( "Signature is not valid", 'error' );
- return $self->sendSLOErrorResponse( $logout, $method );
- }
-@@ -1203,7 +1216,17 @@
- ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
-
- if ($checkSSOMessageSignature) {
-- unless ( $self->checkSignatureStatus($login) ) {
-+
-+ $self->forceSignatureVerification($login);
-+
-+ if ($artifact) {
-+ $result = $self->processArtResponseMsg( $login, $request );
-+ }
-+ else {
-+ $result = $self->processAuthnRequestMsg( $login, $request );
-+ }
-+
-+ unless ($result) {
- $self->lmLog( "Signature is not valid", 'error' );
- return PE_SAML_SIGNATURE_ERROR;
- }
-@@ -1851,7 +1874,10 @@
- ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
-
- if ($checkSLOMessageSignature) {
-- unless ( $self->checkSignatureStatus($logout) ) {
-+
-+ $self->forceSignatureVerification($logout);
-+
-+ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
- $self->lmLog( "Signature is not valid", 'error' );
- return $self->sendSLOErrorResponse( $logout, $method );
- }
--
Debian
More information about the Pkg-perl-cvs-commits
mailing list