Register | Log in

simplesamlphp

Authentication and federation application supporting several protocols

Choose email to subscribe with

general

source: simplesamlphp (main)
version: 1.17.6-1
maintainer: Thijs Kinkhorst (DMD) (LowNMU)
arch: all
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.13.1-2+deb8u1
o-o-sec: 1.13.1-2+deb8u2
oldstable: 1.14.11-1+deb9u1
old-sec: 1.14.11-1+deb9u1
stable: 1.16.3-1
testing: 1.17.6-1
unstable: 1.17.6-1

versioned links

1.13.1-2+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.13.1-2+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.11-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.16.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.17.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

simplesamlphp (1 bugs: 0, 0, 1, 0)

action needed

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2019-08-30 Last update: 2019-09-13 20:06

5 security issues in stretch high

There are 5 open security issues in stretch.

2 important issues:

CVE-2017-12871: The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).
CVE-2017-12870: SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.

3 issues skipped by the security teams:

CVE-2017-12872: The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.
CVE-2018-7711: HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value.
CVE-2018-6520: SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.

Please fix them.

Created: 2017-08-16 Last update: 2019-09-04 05:49

Depends on packages which need a new maintainer normal

The packages that simplesamlphp depends on which need a new maintainer are:

apache2 (#910917)
- Depends: apache2

Created: 2018-10-13 Last update: 2019-09-20 08:36

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-09-01 Last update: 2019-09-01 01:46

5 ignored security issues in jessie low

There are 5 open security issues in jessie.

5 issues skipped by the security teams:

CVE-2017-12870: SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.
CVE-2016-9814: The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.
CVE-2018-7711: HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value.
CVE-2018-6520: SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.
CVE-2016-9955: The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

Please fix them.

Created: 2016-12-03 Last update: 2019-09-04 05:49

news

[2019-09-04] simplesamlphp 1.17.6-1 MIGRATED to testing (Debian testing watch)
[2019-08-30] Accepted simplesamlphp 1.17.6-1 (source) into unstable (Thijs Kinkhorst)
[2019-08-25] simplesamlphp 1.17.5-1 MIGRATED to testing (Debian testing watch)
[2019-08-20] Accepted simplesamlphp 1.17.5-1 (source) into unstable (Thijs Kinkhorst)
[2019-07-16] simplesamlphp 1.17.4-1 MIGRATED to testing (Debian testing watch)
[2019-07-11] Accepted simplesamlphp 1.17.4-1 (source) into unstable (Thijs Kinkhorst)
[2019-07-10] Accepted simplesamlphp 1.17.3-1 (source) into unstable (Thijs Kinkhorst)
[2019-04-18] Accepted simplesamlphp 1.17.2-2 (source all) into unstable (Thijs Kinkhorst)
[2019-04-03] Accepted simplesamlphp 1.17.2-1 (source all) into unstable (Thijs Kinkhorst)
[2019-03-07] Accepted simplesamlphp 1.17.1-1 (source all) into unstable (Thijs Kinkhorst)
[2019-03-07] Accepted simplesamlphp 1.17.0-1 (source all) into unstable (Thijs Kinkhorst)
[2018-12-27] simplesamlphp 1.16.3-1 MIGRATED to testing (Debian testing watch)
[2018-12-21] Accepted simplesamlphp 1.16.3-1 (source all) into unstable (Thijs Kinkhorst)
[2018-10-04] simplesamlphp 1.16.2-1 MIGRATED to testing (Debian testing watch)
[2018-09-29] Accepted simplesamlphp 1.16.2-1 (source all) into unstable (Thijs Kinkhorst)
[2018-09-13] simplesamlphp 1.16.1-1 MIGRATED to testing (Debian testing watch)
[2018-09-07] Accepted simplesamlphp 1.16.1-1 (source all) into unstable (Thijs Kinkhorst)
[2018-09-06] Accepted simplesamlphp 1.16.0-1 (source all) into unstable (Thijs Kinkhorst)
[2018-06-29] Accepted simplesamlphp 1.13.1-2+deb8u2 (source all) into oldstable (Thorsten Alteholz)
[2018-03-23] Accepted simplesamlphp 1.9.2-1+deb7u4 (source all) into oldoldstable (Thijs Kinkhorst)
[2018-03-23] Accepted simplesamlphp 1.9.2-1+deb7u4 (source all) into oldoldstable (Thijs Kinkhorst)
[2018-03-10] Accepted simplesamlphp 1.13.1-2+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Thijs Kinkhorst)
[2018-03-05] simplesamlphp 1.15.4-1 MIGRATED to testing (Debian testing watch)
[2018-03-03] Accepted simplesamlphp 1.15.4-1 (source all) into unstable (Thijs Kinkhorst)
[2018-03-02] Accepted simplesamlphp 1.14.11-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Thijs Kinkhorst)
[2018-03-02] Accepted simplesamlphp 1.9.2-1+deb7u3 (source all) into oldoldstable (Thijs Kinkhorst)
[2018-03-02] Accepted simplesamlphp 1.9.2-1+deb7u3 (source all) into oldoldstable (Thijs Kinkhorst)
[2018-03-02] Accepted simplesamlphp 1.14.11-1+deb9u1 (source all) into stable->embargoed, stable (Thijs Kinkhorst)
[2018-03-02] Accepted simplesamlphp 1.13.1-2+deb8u1 (source all) into oldstable->embargoed, oldstable (Thijs Kinkhorst)
[2018-03-01] simplesamlphp 1.15.3-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 0
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 6)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.17.5-1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing