inc-ops-notifications - [InCommon NOTICE] SimpleSAMLphp Critical & Medium severity security updates
Subject: InCommon Operations Notifications
List archive
- From: Shannon Roddy <>
- To:
- Subject: [InCommon NOTICE] SimpleSAMLphp Critical & Medium severity security updates
- Date: Mon, 5 Mar 2018 17:30:22 -0500
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:GYnn7h8mW1t2tf9uRHKM819IXTAuvvDOBiVQ1KB+0+0SIJqq85mqBkHD//Il1AaPAd2Araocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HdbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsLxUb05Vyiu47pyRBP0lSsMKjo1/HzXh8B1iq9QvRCvqAFlw4PMfo+bNOdwcKDTc9wUSmVOQslfVy1aD4OgbIYCFfYNMfpWooT/oVYFsBuwBROrBOPq0jJGm3/20rc80+QnFgHG2hErEc4JsHvJsdr0NLoZXOeuzKnSyjXMcu5Z2Dfm5YjJdBAhve+DXah2ccXP1UkjCRnJgUuNpoz4Jj6Y0PkGvWac7+plT+2vimgnphlqojiuw8csko3JiZwOyl/e8CV5xJ41Jd2gSEJhZt6kCpRQuieHPIV1WsMvW3xktDo1x7EctpO2fjIGxZolyhLFdvCLb4iF7gr9WOuQPTt0mXdodba8ihmo9EWtxePxWtWo3FtPtCVKidbBumwI2hHQ98eKSuVx80Kj1DuLyg/e6ORJLl0pmqfUL5Msx6I/m5oPvkTNGCL9hV/4g7WMdko+/+il8+Tnbavipp+bL4J6kh3zPKMylsChGOg1LAoBU3WC9eS7z7Ls41f1QLJXjv0qiabZt43aJcIGqaKjGw9VyIEj6wqhADi6zNQYnH4HLFRfdBKAkojpJ1XOIPf/Dfe8mVijjDBrx/XeMr3gBJXCMGTDna/8cbph5ENQ0gU+wNJF659aCLwNOu//VlPxudDACx82KQ20w+LpCNVn0YMeXHqCArSDMKPVrFCH++IuLvKNZI8TpDbyNeIl5/jwgn8lh1MRZ7em0oYKaHygBPRpP12ZYWbwgtcGCWoKvww+Q/DtiF2HVD5TYHCyU7g75jEhB4KqFIbDRoaxj7CY2ye7BoZWanlAClCLDXfodouEW/YQZy2IPs9hkzsEVb66S4I60RGutRT6y6Z8LubK4CEYtJTj1MRr6O3JkxE96yB0A9qH326TUm50g3sCRyUq06BnvUx91lCD3LB5g/xeCdNT4PZJUgI9NZ7a1eB6DMryWg3YcteRUlmmWMmmATAtQdIw298BeUB9G8m5jh3Y2yqqAqQVl6CQBJAq6K7c3n7xJ9pjxHbc0qkukUUmTtVVOWK4m6F/6lubO4mciF+em6q7XaUawCPX8mqflyyDsFwLfhR3VPD+XXkZYEzQ5e7+6k/TB+u1E7MrPhppyMieJ7FMZ8Gzy1hKWaGwa5zlf2utljLoVl6zzbSWYd+zJmg=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
SimpleSAMLphp have released critical and medium severity updates. We
are sending this notification to raise awareness of these updates.
https://simplesamlphp.org/security/201802-01
https://simplesamlphp.org/security/201803-01
From 201802-01: "When SimpleSAMLphp is installed as a Service Provider,
attackers may manually craft a SAML2 assertion to their complete will,
including altering, adding or removing attributes, changing the subject
of the assertion, specifying higher levels of assurance in the
authentication context, etc. The only requirement for that is the public
key of the Identity Provider being impersonated. The Service Provider
will validate the signature as legitimate, and assume the assertion
comes from the Identity Provider and corresponds to a legitimate user
that has been properly authenticated."
We encourage prompt attention to any instances of SimpleSAMLphp not
already at the latest version due to the critical severity of this update.
Thank you,
Shannon Roddy
Security Lead, Trust & Identity
- [InCommon NOTICE] SimpleSAMLphp Critical & Medium severity security updates, Shannon Roddy, 03/05/2018
Archive powered by MHonArc 2.6.19.