Debian Package Tracker - simplesamlphp

general

source: simplesamlphp (main)
version: 1.18.8-1
maintainer: Thijs Kinkhorst (DMD) (LowNMU)
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.13.1-2+deb8u1
o-o-sec: 1.13.1-2+deb8u3
oldstable: 1.14.11-1+deb9u2
old-sec: 1.14.11-1+deb9u2
stable: 1.16.3-1+deb10u2
stable-sec: 1.16.3-1+deb10u1
testing: 1.18.8-1
unstable: 1.18.8-1

versioned links

1.13.1-2+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.13.1-2+deb8u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.11-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.16.3-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.16.3-1+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.18.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

simplesamlphp

action needed

lintian reports 2 errors and 21 warnings high

Lintian reports 2 errors and 21 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-08-22 Last update: 2020-09-21 06:04

6 ignored security issues in stretch low

There are 6 open security issues in stretch.

6 issues skipped by the security teams:

CVE-2017-12870: SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.
CVE-2017-12871: The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).
CVE-2017-12872: The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.
CVE-2018-6520: SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.
CVE-2018-7711: HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value.
CVE-2020-5225: Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.

Please fix them.

Created: 2017-08-16 Last update: 2020-09-09 06:01

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2020-5225: Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.

Please fix it.

Created: 2020-01-25 Last update: 2020-09-09 06:01

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-02-26 10:49

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2020-11-17 05:41

news

[rss feed]

[2020-09-09] simplesamlphp 1.18.8-1 MIGRATED to testing (Debian testing watch)
[2020-09-04] Accepted simplesamlphp 1.18.8-1 (source) into unstable (Thijs Kinkhorst)
[2020-05-20] simplesamlphp 1.18.7-1 MIGRATED to testing (Debian testing watch)
[2020-05-15] Accepted simplesamlphp 1.18.7-1 (source) into unstable (Thijs Kinkhorst)
[2020-04-25] simplesamlphp 1.18.6-1 MIGRATED to testing (Debian testing watch)
[2020-04-20] Accepted simplesamlphp 1.18.6-1 (source) into unstable (Thijs Kinkhorst)
[2020-03-25] simplesamlphp 1.18.5-1 MIGRATED to testing (Debian testing watch)
[2020-03-20] Accepted simplesamlphp 1.18.5-1 (source) into unstable (Thijs Kinkhorst)
[2020-01-29] simplesamlphp 1.18.4-1 MIGRATED to testing (Debian testing watch)
[2020-01-24] Accepted simplesamlphp 1.18.4-1 (source) into unstable (Thijs Kinkhorst)
[2020-01-08] Accepted simplesamlphp 1.16.3-1+deb10u2 (source all) into proposed-updates->stable-new, proposed-updates (Thijs Kinkhorst)
[2019-12-02] simplesamlphp 1.18.1-1 MIGRATED to testing (Debian testing watch)
[2019-11-26] Accepted simplesamlphp 1.18.1-1 (source) into unstable (Thijs Kinkhorst)
[2019-11-24] Accepted simplesamlphp 1.14.11-1+deb9u2 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Thijs Kinkhorst)
[2019-11-09] Accepted simplesamlphp 1.16.3-1+deb10u1 (source all) into proposed-updates->stable-new, proposed-updates (Thijs Kinkhorst)
[2019-11-07] simplesamlphp 1.17.6-2 MIGRATED to testing (Debian testing watch)
[2019-11-06] Accepted simplesamlphp 1.13.1-2+deb8u3 (source all) into oldoldstable (Thijs Kinkhorst)
[2019-11-06] Accepted simplesamlphp 1.17.6-2 (source) into unstable (Thijs Kinkhorst)
[2019-11-06] Accepted simplesamlphp 1.14.11-1+deb9u2 (source all) into oldstable->embargoed, oldstable (Thijs Kinkhorst)
[2019-11-06] Accepted simplesamlphp 1.16.3-1+deb10u1 (source all) into stable->embargoed, stable (Thijs Kinkhorst)
[2019-09-04] simplesamlphp 1.17.6-1 MIGRATED to testing (Debian testing watch)
[2019-08-30] Accepted simplesamlphp 1.17.6-1 (source) into unstable (Thijs Kinkhorst)
[2019-08-25] simplesamlphp 1.17.5-1 MIGRATED to testing (Debian testing watch)
[2019-08-20] Accepted simplesamlphp 1.17.5-1 (source) into unstable (Thijs Kinkhorst)
[2019-07-16] simplesamlphp 1.17.4-1 MIGRATED to testing (Debian testing watch)
[2019-07-11] Accepted simplesamlphp 1.17.4-1 (source) into unstable (Thijs Kinkhorst)
[2019-07-10] Accepted simplesamlphp 1.17.3-1 (source) into unstable (Thijs Kinkhorst)
[2019-04-18] Accepted simplesamlphp 1.17.2-2 (source all) into unstable (Thijs Kinkhorst)
[2019-04-03] Accepted simplesamlphp 1.17.2-1 (source all) into unstable (Thijs Kinkhorst)
[2019-03-07] Accepted simplesamlphp 1.17.1-1 (source all) into unstable (Thijs Kinkhorst)

bugs [bug history graph]

all: 0

links

homepage
lintian (2, 21)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 100)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.18.8-1
1 bug