Acknowledgement sent
to Ferenc Wágner <wferi@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>.
(Mon, 26 Apr 2021 13:21:04 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shibboleth-sp: Session recovery feature contains a null pointer deference
Date: Mon, 26 Apr 2021 15:16:14 +0200
Source: shibboleth-sp
Version: 3.0.2+dfsg1-1
Severity: important
Tags: upstream patch security
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.
Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.
Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.
In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.
For example:
<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
This workaround is only possible after having updated the
core configuration to the V3 XML namespace.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt
Marked as found in versions shibboleth-sp/3.0.4+dfsg1-1+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 26 Apr 2021 15:21:23 GMT) (full text, mbox, link).
Marked as found in versions shibboleth-sp/3.0.4+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 26 Apr 2021 15:21:23 GMT) (full text, mbox, link).
Marked as found in versions shibboleth-sp/3.2.1+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 26 Apr 2021 15:21:24 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>: Bug#987608; Package src:shibboleth-sp.
(Mon, 26 Apr 2021 19:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>.
(Mon, 26 Apr 2021 19:21:06 GMT) (full text, mbox, link).
Hi Ferenc,
On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc Wágner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
>
> Shibboleth Service Provider Security Advisory [26 April 2021]
>
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
>
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
>
> This manifests as a crash in the shibd daemon/service process.
>
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
>
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
>
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
>
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth2.xml (even if used for nothing)
> will work around the vulnerability.
>
> For example:
>
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
>
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
>
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec
>
>
> URL for this Security Advisory:
> https://shibboleth.net/community/advisories/secadv_20210426.txt
Raising the severity to RC as I think this should go into bullseye and
the fix is targetted possible. Let me though know if you disagree on
this.
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 26 Apr 2021 19:21:08 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 26 Apr 2021 19:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>: Bug#987608; Package src:shibboleth-sp.
(Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>.
(Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).
Control: retitle -1 shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference
Hi,
On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc W??gner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
>
> Shibboleth Service Provider Security Advisory [26 April 2021]
>
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
>
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
>
> This manifests as a crash in the shibd daemon/service process.
>
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
>
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
>
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
>
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth2.xml (even if used for nothing)
> will work around the vulnerability.
>
> For example:
>
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
>
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
>
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec
MITRE has assigned CVE-2021-31826 for this issue.
Regards,
Salvatore
Changed Bug title to 'shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference' from 'shibboleth-sp: Session recovery feature contains a null pointer deference'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 987608-submit@bugs.debian.org.
(Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>: Bug#987608; Package src:shibboleth-sp.
(Tue, 27 Apr 2021 06:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to wferi@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>.
(Tue, 27 Apr 2021 06:21:03 GMT) (full text, mbox, link).
Salvatore Bonaccorso <carnil@debian.org> writes:
> MITRE has assigned CVE-2021-31826 for this issue.
Thanks. I guess you don't want a new security upload for this, but I'll
certainly include it in the changelog of the unstable upload. (And in
the changelog of the next security upload, whenever that happens.)
--
Feri
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>: Bug#987608; Package src:shibboleth-sp.
(Tue, 27 Apr 2021 06:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>.
(Tue, 27 Apr 2021 06:48:03 GMT) (full text, mbox, link).
Hi
On Tue, Apr 27, 2021 at 08:16:52AM +0200, wferi@debian.org wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > MITRE has assigned CVE-2021-31826 for this issue.
>
> Thanks. I guess you don't want a new security upload for this, but I'll
> certainly include it in the changelog of the unstable upload. (And in
> the changelog of the next security upload, whenever that happens.)
Yes exactly, there is no need to reject the package and reupload with
the CVE identifier added, it is all enough how it is so far, we will
just add it the the DSA itself.
So all fine.
Regards,
Salvatore
Reply sent
to Ferenc Wágner <wferi@debian.org>:
You have taken responsibility.
(Wed, 28 Apr 2021 20:21:04 GMT) (full text, mbox, link).
Notification sent
to Ferenc Wágner <wferi@debian.org>:
Bug acknowledged by developer.
(Wed, 28 Apr 2021 20:21:04 GMT) (full text, mbox, link).
Subject: Bug#987608: fixed in shibboleth-sp 3.2.2+dfsg1-1
Date: Wed, 28 Apr 2021 20:19:04 +0000
Source: shibboleth-sp
Source-Version: 3.2.2+dfsg1-1
Done: Ferenc Wágner <wferi@debian.org>
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <wferi@debian.org> (supplier of updated shibboleth-sp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Apr 2021 12:11:06 +0200
Source: shibboleth-sp
Architecture: source
Version: 3.2.2+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 987608
Changes:
shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high
.
* [e44283d] New upstream release: 3.2.2
High urgency because it fixes CVE-2021-31826:
Session recovery feature contains a null pointer dereference
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Thanks to Scott Cantor (Closes: #987608)
* [3a6ac33] Refresh our patches
Checksums-Sha1:
51abae0103692c6eb756a0684f956236c766bab3 2891 shibboleth-sp_3.2.2+dfsg1-1.dsc
15d60364156cd8fd2c60db273cba85f5c28bc075 640648 shibboleth-sp_3.2.2+dfsg1.orig.tar.xz
f185a257f713b667f861b0cbc83f9270618a84c9 42116 shibboleth-sp_3.2.2+dfsg1-1.debian.tar.xz
cb8f6304381f00faa35b8480e962b646d25065cb 13102 shibboleth-sp_3.2.2+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
b855713cb278c5d8051cfb248ad7245f58d7182470e8b6c9dec2552697a85fdf 2891 shibboleth-sp_3.2.2+dfsg1-1.dsc
14d0d2ca03adf44c77ed5e8738d537dbe6e9abe5a3d6f15d403f9b00964c9f00 640648 shibboleth-sp_3.2.2+dfsg1.orig.tar.xz
6a4d64544ff5f1bf8028b7ba87519ad50237f52ee157aa4d0138dcab542aef0d 42116 shibboleth-sp_3.2.2+dfsg1-1.debian.tar.xz
7f83a25d57dc84136dba59d6941a4e717d6c03c44121e26054cf2b7d37edddec 13102 shibboleth-sp_3.2.2+dfsg1-1_amd64.buildinfo
Files:
23f42f6e2552fce639ed5a19ef8a5ce5 2891 web optional shibboleth-sp_3.2.2+dfsg1-1.dsc
52199338ebf5612425cb2a076c1b7f70 640648 web optional shibboleth-sp_3.2.2+dfsg1.orig.tar.xz
a60eb96d9fa7c1fa10b31365c9614184 42116 web optional shibboleth-sp_3.2.2+dfsg1-1.debian.tar.xz
7487cb96684d3aa30e30d25d8200fa62 13102 web optional shibboleth-sp_3.2.2+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmCH9WMACgkQOsj3Fkd+
2yOUjBAAkTTaEeeh23gfgCn7o/T9iYso3kd/tI9ek0PGUK0OCnu9ZKZam4fu77Pp
3soyFSzj3Ac2y/cxEv3tDvDPtfikyOe//1/vf3brmJdCcl1IBNLb5ZqnsdpQr3vW
4aa4PKjtbSWnze8aRYicWGCFiCZUpbijZJbPlqcQIwBBELE5Zr95wAMywGYbBoK6
ZDrTWM3InwiTYLNmTwy+ZVPvp+SdvsAX3QYWwGe/4j4oU6kJyCf1VsRHddGMiQBM
KSJqucmMxCSE46ACN/9v686mxEOaXsN9XQQvfrapjLSHWM8iFeuySvdGp57EjJ8I
4Fm7po7x+yFKeOPv/42GSYUE+iPgVvkCtXgtBobscvB5/Q3e/cgx5n2A6QY9w7Kt
juglbnq5/FaN4bO5SazFg9/uXEZzqK8Ap1srqUYZlXCNroR22O5Ecs0rYhlaDldD
zxGpyj0UYlYENTNXHkf34yVTfnB9JE8y2Uaz/Uj25pVvs+thU+Vt5LebaSS5v/bj
mlMxdOJ5MY02HvVnIREA/6cf93tBC61alTeP5w1ZMX3YL37plTIR5sTUapY05oIS
gMlJd+CVWgdVG2ekn9WPtPyyqiJW87n1npS4DYJcJjoDfNbOvhN7wuZ8PNzKc1XA
FDpLmG1+WN0NshIyOjH/4P3HzozIBy5qNeWXm3zBRPr7AtUJScE=
=Ty2B
-----END PGP SIGNATURE-----
Reply sent
to Ferenc Wágner <wferi@debian.org>:
You have taken responsibility.
(Fri, 30 Apr 2021 16:51:06 GMT) (full text, mbox, link).
Notification sent
to Ferenc Wágner <wferi@debian.org>:
Bug acknowledged by developer.
(Fri, 30 Apr 2021 16:51:06 GMT) (full text, mbox, link).
Subject: Bug#987608: fixed in shibboleth-sp 3.0.4+dfsg1-1+deb10u2
Date: Fri, 30 Apr 2021 16:47:41 +0000
Source: shibboleth-sp
Source-Version: 3.0.4+dfsg1-1+deb10u2
Done: Ferenc Wágner <wferi@debian.org>
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <wferi@debian.org> (supplier of updated shibboleth-sp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 26 Apr 2021 15:37:15 +0200
Source: shibboleth-sp
Architecture: source
Version: 3.0.4+dfsg1-1+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 987608
Changes:
shibboleth-sp (3.0.4+dfsg1-1+deb10u2) buster-security; urgency=high
.
* [2dd45b3] New patch: SSPCPP-927 - Check for missing DataSealer during
cookie recovery.
Fix a denial of service vulnerability: Session recovery feature contains
a null pointer dereference
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Thanks to Scott Cantor (Closes: #987608)
Checksums-Sha1:
aa91efd3b9c6f26b0ad95dfae340a49f41e8923c 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u2.dsc
936ea173fc1b0c9998f657b897650b9f7fdd84d1 79896 shibboleth-sp_3.0.4+dfsg1-1+deb10u2.debian.tar.xz
d74e5e9b65ef48c88c4294cf5a0d0ece4da1667c 14116 shibboleth-sp_3.0.4+dfsg1-1+deb10u2_amd64.buildinfo
Checksums-Sha256:
82ce3e5b624c34754807c76a70fc5549dc535e9c5d01af396b76966d9f9cf39d 3034 shibboleth-sp_3.0.4+dfsg1-1+deb10u2.dsc
01a3257b10e940430af70754daeccc29c08c091ae04a1fd519ff67cefb83b878 79896 shibboleth-sp_3.0.4+dfsg1-1+deb10u2.debian.tar.xz
74fdf85b4918fd5867fc5c858dd13c222327ca9dda34ed8901c1187ff07c0d56 14116 shibboleth-sp_3.0.4+dfsg1-1+deb10u2_amd64.buildinfo
Files:
f74cbb538977ef3921821dd62ca772df 3034 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u2.dsc
2cf9a7879a9838f4cdf8f0d023e957c4 79896 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u2.debian.tar.xz
22afb3d6e117204e01b703a96a5750d2 14116 web optional shibboleth-sp_3.0.4+dfsg1-1+deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmCGwyoACgkQOsj3Fkd+
2yMYoA//QzDdBzy8ibufj0OP+eFfZ3OUzg9payDQt0AVf0y1tWc1qRlfiYQef2tK
gZgkx0f612C2nbL9fvqLgpzpCbFAQNYkM4oGbF2gV+ID/sJ+ejAgFIMutGsgCBjW
/VXr3HBkEj5M39X3EJI/Fn/ba+OGCi93v00TQhN2ZawZ/PdnZKqy4n/NBD+JFnQd
g98/B+6thQZLgepdUNRCZfxc6sgwlsAi3eWHbPQEoOu/UDBNgOPtrs6RoVqSWwVy
1p+KuiYJa6BDwPbvNQEWPa1epTd1Z53E/fDe6A4bficW20Go3GkbX7Z5XXxkhH5p
webYb6fsJiG9+0lGnepInl+BBrbcb4H3aoVH9hG31xiJTO1ay3aLDSrUsjMSJCrF
nfcswAlYcQJUnUqAWcS3tz2L/BhMYPH4ina3AG/zWZimYxJiVfGpEbKFRIzmYThC
Pc11mcQFrXCfg4KAsWxwyeRwU2xeBt1IEBkivusOufPjWw0UJ8mB/li69bkWdWeH
LMOP5niAVczIKgNjnTURn9DTDIV/uUq8BWEIgu1aMFMVNCyRjd57jaFrvuMmZCdh
knBWwxkhZoQ5Q7I9f7UW0vtUqSqxyHmMDq70EuWPRqjkD4jCePpDqd2OuWUmfpXB
kn4Mn7cMP6r+MZwrDqKJEOOYUwQULmH5Dvii/LqwOCWJ0APgl98=
=rii5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 20 Jun 2021 07:24:48 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.