SAML messages signatures are not verified - SECURITY ISSUE

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: 1.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2
  • Fix Version/s: 1.2.3
  • Component/s: Portal
  • Labels:
    None
  • Global Rank:
    4268

Description

Due to a bad use of Lasso library, SAML signatures are never checked, even if we force signature check.

A patch is attached. Anyone using SAML binding in LemonLDAP::NG should apply it quick and upgrade to 1.2.3 as soon as it will be released.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Clément OUDOT added a comment -

Done in r2698

Show
Clément OUDOT added a comment - Done in r2698
Hide
Permalink
Clément OUDOT added a comment -

CVE-2012-6426

See http://seclists.org/oss-sec/2012/q4/490

Show
Clément OUDOT added a comment - CVE-2012-6426 See http://seclists.org/oss-sec/2012/q4/490

People

  • Assignee:
    Clément OUDOT
    Reporter:
    Clément OUDOT
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: