mahara-contributors team mailing list archive

[Kristina Hoeppner <1851418@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3465

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1851418

Title:
  Security upgrade simplesamlphp to 1.17.7

Status in Mahara:
  Fix Committed
Status in Mahara 18.10 series:
  Fix Released
Status in Mahara 19.04 series:
  Fix Released
Status in Mahara 19.10 series:
  Fix Released
Status in Mahara 20.04 series:
  Fix Committed

Bug description:
  From the folks at simplesamlphp:

  "We have been made aware of a security issue affecting all SimpleSAMLphp
  instances deployed as a service provider (basically, using SimpleSAMLphp
  to protect access to your application). This issue has been deemed
  critical, and will therefore need an urgent update. We will be releasing
  SimpleSAMLphp 1.17.7 during next Wednesday the 6th of November, at a
  time yet to be determined. We urge all SimpleSAMLphp users to make sure
  they are running the current stable version, so that upgrading to the
  new release doesn’t have any side effects, and to be prepared to upgrade
  their deployments as soon as the new stable release is published.

  The details of the issue are embargoed for the time being, but will be
  made public after the bugfix release has been published. CVE 2019-3465
  has been assigned to this issue."

  Our sites are currently on 1.17.6 so the upgrade should be fairly
  painless

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1851418/+subscriptions