Register | Log in

ruby-saml

SAML toolkit for Ruby on Rails

Choose email to subscribe with

general

source: ruby-saml (main)
version: 1.17.0-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Pirate Praveen [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.7.2-1
oldstable: 1.11.0-1
old-sec: 1.11.0-1+deb11u1
stable: 1.13.0-1+deb12u1
stable-sec: 1.13.0-1+deb12u1
testing: 1.17.0-1
unstable: 1.17.0-1

versioned links

1.7.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.11.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.11.0-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.13.0-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.17.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-saml

action needed

Marked for autoremoval on 26 April: #1100441 high

Version 1.17.0-1 of ruby-saml is marked for autoremoval from testing on Sat 26 Apr 2025. It is affected by #1100441. The removal of ruby-saml will also cause the removal of (transitive) reverse dependency: ruby-faker. You should try to prevent the removal by fixing these RC bugs.

Created: 2025-03-21 Last update: 2025-03-24 10:58

A new upstream version is available: 1.18.0 high

A new upstream version 1.18.0 is available, you should consider packaging it.

Created: 2025-03-16 Last update: 2025-03-24 07:01

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

Created: 2025-03-13 Last update: 2025-03-14 00:30

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

Created: 2025-03-13 Last update: 2025-03-14 00:30

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

Created: 2025-03-13 Last update: 2025-03-14 00:30

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

Created: 2025-03-13 Last update: 2025-03-14 00:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[2024-11-11] Accepted ruby-saml 1.11.0-1+deb11u1 (source all) into oldstable-security (Abhijith PA)
[2024-10-13] ruby-saml 1.17.0-1 MIGRATED to testing (Debian testing watch)
[2024-10-11] Accepted ruby-saml 1.17.0-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-09-28] Accepted ruby-saml 1.13.0-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-09-20] Accepted ruby-saml 1.13.0-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2023-07-18] ruby-saml 1.15.0-1 MIGRATED to testing (Debian testing watch)
[2023-07-14] Accepted ruby-saml 1.15.0-1 (source) into unstable (Mohammed Bilal)
[2021-10-29] ruby-saml 1.13.0-1 MIGRATED to testing (Debian testing watch)
[2021-10-26] Accepted ruby-saml 1.13.0-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-08-30] ruby-saml 1.12.2-2 MIGRATED to testing (Debian testing watch)
[2021-08-30] ruby-saml 1.12.2-2 MIGRATED to testing (Debian testing watch)
[2021-08-28] Accepted ruby-saml 1.12.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-04-15] Accepted ruby-saml 1.12.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2019-09-09] ruby-saml 1.11.0-1 MIGRATED to testing (Debian testing watch)
[2019-09-06] Accepted ruby-saml 1.11.0-1 (source) into unstable (Cédric Boutillier)
[2018-05-15] Accepted ruby-saml 1.7.2-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-03-23] ruby-saml 1.7.2-1 MIGRATED to testing (Debian testing watch)
[2018-03-18] Accepted ruby-saml 1.7.2-1 (source) into unstable (Cédric Boutillier)
[2016-11-05] ruby-saml 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2016-10-30] Accepted ruby-saml 1.4.1-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2016-07-17] ruby-saml 1.3.0-1 MIGRATED to testing (Debian testing watch)
[2016-07-10] Accepted ruby-saml 1.3.0-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2016-03-23] ruby-saml 1.1.2-1 MIGRATED to testing (Debian testing watch)
[2016-03-15] Accepted ruby-saml 1.1.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2015-09-30] ruby-saml 1.0.0-1 MIGRATED to testing (Britney)
[2015-09-24] Accepted ruby-saml 1.0.0-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2015-09-08] ruby-saml 0.9.2-1 MIGRATED to testing (Britney)
[2015-09-02] Accepted ruby-saml 0.9.2-1 (source all) into unstable, unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.17.0-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing