Debian alert DLA-3949-1 (ruby-saml)
| From: | Abhijith PA <abhijith@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3949-1] ruby-saml security update | |
| Date: | Mon, 11 Nov 2024 20:33:35 +0530 | |
| Message-ID: | <ZzIcx_320BOI5uJL@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3949-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA November 11, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : ruby-saml Version : 1.11.0-1+deb11u1 CVE ID : CVE-2024-45409 It was discovered that ruby-saml, a library for implementing the client side of a SAML authorization does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. For Debian 11 bullseye, this problem has been fixed in version 1.11.0-1+deb11u1. We recommend that you upgrade your ruby-saml packages. For the detailed security status of ruby-saml please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-saml Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmcyHMYACgkQhj1N8u2c KO9urg/8DxdwkPS8JI2SxtMZIDqwoCzOMirDMoSFmog6YefBO2GseYYMF3XNjZeF cKBKn8+O0t90G8MdeXbiriv/gv+aMH8qXwdGuiKJzmSxS6l0qfaRYrpNfNfPTbtL InUJd1JGFyK+z2AFqZfYbbx5FjBBDva0EnA0EmrBkBuyX5Rk6lW4N/GQrUp77UIa FvDAD0JFlUQCqCRDY7HL1sfjmwKgBsO9BmLBe+vaDc8yunqF5RFqh1JqQHE0+HIY XkDJ2IQsAWIozOejuBjRx5ecjYdHrxbnDH0wNbEeaPOyZRPiqvJYOynZdHzcaLt8 vugP62CQt/Q4gl/5/1Apv/QgsyqUl7htfrp8Sy1Kc50JKOjyUgYw2KqdJ6ZyO3PC 2Xuh+rG54eE7HbGKLUuBrW0yczcOYnGaSnVd8vqWpTtq8KITuHhcJzEoPSVChxZa +/6u4LaOI5ynR8lG7tG7bow5/sFMOLRaBHEiUWy0j6JaWh/ajXEQ46p+8BoMXT6S 5vkn9+11pd1RhYkCjbvdG8kZlh3hfCRKztfttaRD4V3dXwDJyhMk49a7OQhROMat l7vp6BTdMDe7MCoeK/aENFYvkNi4h/uMt5FIVxMepfewnyyiVBQsLQyKIaX0AbJ/ FArSvBopGFWVjDnzzD8zytqOJo0HndcAxdyUqMZWb92J2nKIHE0= =0RKy -----END PGP SIGNATURE-----