LemonLDAP::NG
  1. LemonLDAP::NG
  2. LEMONLDAP-570

SAML messages signatures are not verified - SECURITY ISSUE

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2
    • Fix Version/s: 1.2.3
    • Component/s: Portal
    • Labels:
      None
    • Global Rank:
      4267

      Description

      Due to a bad use of Lasso library, SAML signatures are never checked, even if we force signature check.

      A patch is attached. Anyone using SAML binding in LemonLDAP::NG should apply it quick and upgrade to 1.2.3 as soon as it will be released.

        Activity

        Hide
        Clément OUDOT
        added a comment -

        Done in r2698

        Show
        Clément OUDOT
        added a comment - Done in r2698
        Hide
        Clément OUDOT
        added a comment -
        Show
        Clément OUDOT
        added a comment - CVE-2012-6426 See http://seclists.org/oss-sec/2012/q4/490

          People

          • Assignee:
            Clément OUDOT
            Reporter:
            Clément OUDOT
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Issue deployment