UbuntuUpdates.org

Package "python-pysaml2"

Name: python-pysaml2

Description:

SAML Version 2 to be used in a WSGI environment - Python 2.x

Latest version: 4.0.2-0ubuntu3.2
Release: bionic (18.04)
Level: security
Repository: main
Homepage: https://github.com/rohe/pysaml2

Links


Download "python-pysaml2"


Other versions of "python-pysaml2" in Bionic

Repository Area Version
base main 4.0.2-0ubuntu3
base universe 4.0.2-0ubuntu3
security universe 4.0.2-0ubuntu3.2
updates main 4.0.2-0ubuntu3.2
updates universe 4.0.2-0ubuntu3.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 4.0.2-0ubuntu3.2 2021-09-08 13:06:37 UTC

  python-pysaml2 (4.0.2-0ubuntu3.2) bionic-security; urgency=medium

  * SECURITY UPDATE: improper verification of cryptographic signature
    - debian/patches/CVE-2021-21239.patch: restrict the key data that
      xmlsec1 accepts to only x509 certs in src/saml2/sigver.py,
      tests/test_xmlsec1_key_data.py,
      tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml,
      tests/xmlsec1-keydata/signed-assertion-with-hmac.xml,
      tests/xmlsec1-keydata/signed-response-with-hmac.xml.
    - CVE-2021-21239
  * debian/patches/update-test-metadata-expiration.patch: update test
    metadata expiration date in tests/metadata.aaitest.xml.
  * debian/patches/update-test-metadata-expiration-2.patch: allow tests to
    pass after 2020 in tests/InCommon-metadata.xml, tests/metadata.xml,
    tests/swamid-2.0.xml, tests/vo_metadata.xml.

 -- Marc Deslauriers <email address hidden> Tue, 22 Jun 2021 11:16:50 -0400

Source diff to previous version
CVE-2021-21239 PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vuln

Version: 4.0.2-0ubuntu3.1 2020-01-21 18:07:19 UTC

  python-pysaml2 (4.0.2-0ubuntu3.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Signature in SAML doc not checked properly
    - debian/patches/CVE-2020-5390.patch: fix XML signature wrapping
      (XSW) in src/saml2/sigver.py, tests/saml2_response_xsw.xml,
      tests/test_xsw.py.
    - CVE-2020-5390
  * Fixing test_41_response
    - debian/patches/Fix-test-41-that-now-depend-on-acual-datetime.patch:
      Fix test that depended on actual datetime in tests/test_41_response.py.

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 20 Jan 2020 16:05:35 -0300

CVE-2020-5390 PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected



About   -   Send Feedback to @ubuntu_updates