|
|
Subscribe / Log in / New account

Debian alert DLA-1408-1 (simplesamlphp)



From:
    	      Thorsten Alteholz <debian@alteholz.de> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 1408-1] simplesamlphp security update 


Date:
    	      Fri, 29 Jun 2018 23:05:32 +0200 (CEST)


Message-ID:
    	      <alpine.DEB.2.02.1806292302530.11919@jupiter.server.alteholz.net>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : simplesamlphp
Version        : 1.13.1-2+deb8u2
CVE ID         : CVE-2017-12868 CVE-2017-12872


CVE-2017-12872 / CVE-2017-12868

     The (1) Htpasswd authentication source in the authcrypt module and (2)
     SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow
     remote attackers to conduct timing side-channel attacks by leveraging
     use of the standard comparison operator to compare secret material
     against user input.

     CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the
     initial patch released by upstream. We have used the correct patch.


For Debian 8 "Jessie", these problems have been fixed in version
1.13.1-2+deb8u2.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJbNp8cXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHt/YP/AzBB6nGcpRJWraLor/sZuZu
9Xg2UpugDuY3Dc8pskHQS8jTDh6e/Rny45FOnvSOlG9rZWOEA4EkmEuVqEUmEb/S
gsxmYeqiMMKZLIujMc1v6aO4wL1cto/DaGSBDDoKSYEY8C//HwDRyBy9T3TADPcf
Jb40cNExpCeds2rm/vFrNnL9l/X4ZP0yZI45wpqEce/nbCtYOCgbIog91qrOVTJ6
fNdFNYXgDmzAUGmXnSTlRunOrfN4dujg5cnTxR4v4qErZnVpp01+zLWJYsBxTaNl
x5XotLVaapaVJyT7AZEDg4LoB/ZONW2ZPAHeoy2mX2bDVEBvjitP6ohsmwwKsj9d
7VFAxTguXmBgGwL0bCzySlZMMUsM5+UAnAUxAPr4yigwGLs2Ei5nudhd7FlN6Ggr
VhIshmRVwaQlx2JPjovKKD+8Mnz5qC8UEEPcqiLLzn/UoLEDhLDc0jz4UkOOci5t
dx750JTlVY6x6uI6AQ6vLw9/lTAf0tUjRgJn0gZwWR8impXy+BqLDFk4GnH2g+L8
ww/RAbs4ctA5SVtFjCJPQdnS7gePqctF6gqQw/wLb6u/zuhTpIu7UcIt0Ic8zFzD
ptMe1UrEGQ4cLvtl/d4NO2CtFV0zesZOYYzT9cEeoer2L0IakrkR1+2vkKdXZNjU
ynXvOBHibMD98EwzateT
=/3Ft
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds