-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 17 Mar 2021 21:40:34 CET Source: shibboleth-sp Architecture: source Version: 3.0.4+dfsg1-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wferi@debian.org> Closes: 985405 Changes: shibboleth-sp (3.0.4+dfsg1-1+deb10u1) buster-security; urgency=high . * [594074b] New patch: SSPCPP-922 - Add externalParameters option to Errors element. Fix a phishing vulnerability: Template generation allows external parameters to override placeholders The primitive template engine used to render error pages allows replacement via query parameters also, though this is not a typical need. Because of this feature, it's possible to cause the SP to display some templates containing values supplied externally by URL manipulation. Though the values are encoded to prevent script injection, the content nevertheless appears to come from the server and so would be interpreted as trustworthy, allowing email addresses, logos, or support URLs to be manipulated by an attacker. This update adds a new <Errors> setting to the configuration called externalParameters, which defaults to false. When false, support for this "feature" is disabled. https://shibboleth.net/community/advisories/secadv_20210317.txt https://issues.shibboleth.net/jira/browse/SSPCPP-922 Thanks to Scott Cantor (Closes: #985405) Checksums-Sha256: c33ef8a0c0735abe7348e9825588bba01ac62325a6dc4375be21b153b8c0fd88 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc 6790ac56e79c215dd38a065c94905b979185b72294d3fce2cd78ba43995831f4 79324 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz 6f33456c355d811803afba004f90810f54fdd1f2398f3486fe73f8be0ca53b22 13808 shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo b327701d111da4b5da370eddc945c382abc378ff9445e1eda9554c0d7e6f1dca 629664 shibboleth-sp_3.0.4+dfsg1.orig.tar.xz Checksums-Sha1: b772eca334b15268404717420e899765f6d19d38 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc 41ce923aef344361e7df8f2625f31ef3d84cf85f 79324 shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz f73d4690f2fad69caaac1beb0a871266b732c309 13808 shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo cf6064d46a963cd5704439d0124bd7333ea8447e 629664 shibboleth-sp_3.0.4+dfsg1.orig.tar.xz Files: b2030bd2eafac8728d6aa75d9bf7eca0 3034 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1.dsc 74d4b3c702dd8219f9f81720c7fc5bc1 79324 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1.debian.tar.xz ee57dbfb6777b3d0c9f64eced6efab02 13808 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u1_amd64.buildinfo 050e90a66472f17e81acd2ab21b677c2 629664 web optional shibboleth-sp_3.0.4+dfsg1.orig.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmBSaYsACgkQOsj3Fkd+ 2yOZyQ/+JOqrW/hSIdV64BRu0wYR7+gwrRM2/a29Dy9zZYKr1AAF6i2IgAmCYic2 7kNOmqKwqjEDpEf50NizKqcMxqqjlwE7M0sBz7pMIw2IR2VWL1HzOQgs1uP0HfLB uU3sP9JUY6HmRMoZyjDsEx1iyLmHRsQ3Lb1+eMb5w/Rx7Fn1tOOlKmBE/0zOqy6A m1drxjGtRoY65bOnjoqTJ1mUWJVLySg7OXMCsop2pCpftGDCSzSMDl7DWErM2OMF CsisB5jx9RB3OsxYr2H7mQNY3LW7CI5MT2CKw92n7Ebv3WqSMltUjiDPj0Qqy4Pp w9qv8mZ8iyEA7SQH13hKVSP0R7Ss7FeZIsRzjOHXocwZpxU+T+wVSNzeuD75oA8M rP8TTDk7fSGTjhxg/rIffH04+RiJ1rDvSC1gncLphjUNzok5tnzs9OBaYH9Hy6sP xQLCC+SCO8xfGBGM5dJgLJqzZ1jmdPFVd96wmzRdFNzdnMsCqSMlz/nexIYCjk1z WafbGbjN+QnpuCRqDD15ySXZSE29KWvbBwnz8ULYf79RQp0AynkOLwub/3MQgXmQ f+/adJACwlApqo+XP/hvuHsWo/VmgfxN7pNNvZTFvvPqwKlPD897phYFFUM48hKw eVP3aDn4mkBfWQM6HlCIi9bwAF7CVnCTkFQEnAL6OtcSKpQJ4ZM= =miVA -----END PGP SIGNATURE-----
