group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 2103420] Re: Security issue with libsaml12

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2103420@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Mar 2025 13:45:32 -0000
Reply-to: Bug 2103420 <2103420@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package opensaml - 3.2.1-4.1ubuntu0.24.10.1

---------------
opensaml (3.2.1-4.1ubuntu0.24.10.1) oracular-security; urgency=medium

  * SECURITY UPDATE: CPPOST-126 - Simple signature verification fails to
    detect parameter smuggling (LP: #2103420)
    - debian/patches/lp2103420-forging.patch: address parameter smuggling.
      Patch from upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee,
      thanks to Scott Cantor
    - No CVE number

 -- Tom Andrew <tom.andrew@xxxxxxxxxx>  Tue, 18 Mar 2025 16:24:50 +0000

** Changed in: opensaml (Ubuntu Oracular)
       Status: Fix Committed => Fix Released

** Changed in: opensaml (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2103420

Title:
  Security issue with libsaml12

Status in opensaml package in Ubuntu:
  Fix Committed
Status in opensaml2 package in Ubuntu:
  Fix Released
Status in opensaml2 source package in Trusty:
  Invalid
Status in opensaml2 source package in Xenial:
  Fix Released
Status in opensaml2 source package in Bionic:
  Fix Released
Status in opensaml source package in Focal:
  Fix Released
Status in opensaml source package in Jammy:
  Fix Released
Status in opensaml source package in Noble:
  Fix Released
Status in opensaml source package in Oracular:
  Fix Released
Status in opensaml source package in Plucky:
  Fix Committed

Bug description:
  A security issue has been discovered on the OpenSAML by Shibboleth.

  Debian has release a new version and this has to be fixed by Ubuntu as
  well.

  From Debian:
  "Alexander Tan discovered that the OpenSAML C++ library was susceptible
  to forging of signed SAML messages. For additional details please refer
  to the upstream advisory at
  https://shibboleth.net/community/advisories/secadv_20250313.txt";

  https://lists.debian.org/debian-security-announce/2025/msg00041.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensaml/+bug/2103420/+subscriptions