Bug#780383: libopensaml2-java: CVE-2015-1796
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 13 15:31:02 UTC 2015
Hi Emmanuel,
Thanks for the quick feedback.
On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote:
> Hi Salvatore,
>
> Thank you for the report. Looking at the commit r1680 mentioned on the
> security tracker I fail to see how it addresses the vulnerability
> described. I suspect this is actually a vulnerability in a dependency
> shared by opensaml and idp (maybe xmltooling which contains the
> PKIXValidationInformationResolver class, or shib-common with a recent
> commit referring to the same SIDP-624 issue [1]).
Note the commit reference was added by me, while searching to isolate
were the problem lies, i.e. searching for relevant commits between tag
2.6.4 and 2.6.5. I don't understand though libopensaml2-java well
enough. Upstream advisory just say:
Affected Versions
=================
Versions of OpenSAML Java < 2.6.5
[...]
OpenSAML users: Upgrade to OpenSAML Java 2.6.5 or greater, if PKIX
trust engines are in use. PKIX trust engine implementations in this
version will fail a candidate credential if no trusted names are
resolved for the relevant entityID; the existing PKIX resolver
implementations now also automatically treat the target entityID as an
implicit trusted name. If this is not feasible, ensure that ALL entity
data resolved via instances of PKIXValidationInformationResolver have
at least 1 trusted name which is resolveable. For resolvers based on
SAML metadata, see IdP recommendations below.
[...]
https://bugzilla.redhat.com/show_bug.cgi?id=1196619
and
https://bugzilla.novell.com/show_bug.cgi?id=922199
both don't give much more information.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list