ipsilon security update

2016-11-2516:47:14

CentOS Project

lists.centos.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.008 Low

EPSS

Percentile

81.8%

JSON

CentOS Errata and Security Advisory CESA-2016:2809

The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers.

Security Fix(es):

A vulnerability was found in ipsilon in the SAML2 provider’s handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. (CVE-2016-8638)

This issue was discovered by Patrick Uiterwijk (Red Hat) and Howard Johnson.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2016-November/029947.html

Affected packages:
ipsilon
ipsilon-authform
ipsilon-authgssapi
ipsilon-authldap
ipsilon-base
ipsilon-client
ipsilon-filesystem
ipsilon-infosssd
ipsilon-persona
ipsilon-saml2
ipsilon-saml2-base
ipsilon-tools-ipa

Upstream details at:
https://access.redhat.com/errata/RHSA-2016:2809

OSVersionArchitecturePackageVersionFilename
CentOS7noarchipsilon< 1.0.0-13.el7_3ipsilon-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-authform< 1.0.0-13.el7_3ipsilon-authform-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-authgssapi< 1.0.0-13.el7_3ipsilon-authgssapi-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-authldap< 1.0.0-13.el7_3ipsilon-authldap-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-base< 1.0.0-13.el7_3ipsilon-base-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-client< 1.0.0-13.el7_3ipsilon-client-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-filesystem< 1.0.0-13.el7_3ipsilon-filesystem-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-infosssd< 1.0.0-13.el7_3ipsilon-infosssd-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-persona< 1.0.0-13.el7_3ipsilon-persona-1.0.0-13.el7_3.noarch.rpm
CentOS7noarchipsilon-saml2< 1.0.0-13.el7_3ipsilon-saml2-1.0.0-13.el7_3.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	noarch	ipsilon	< 1.0.0-13.el7_3	ipsilon-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-authform	< 1.0.0-13.el7_3	ipsilon-authform-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-authgssapi	< 1.0.0-13.el7_3	ipsilon-authgssapi-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-authldap	< 1.0.0-13.el7_3	ipsilon-authldap-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-base	< 1.0.0-13.el7_3	ipsilon-base-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-client	< 1.0.0-13.el7_3	ipsilon-client-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-filesystem	< 1.0.0-13.el7_3	ipsilon-filesystem-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-infosssd	< 1.0.0-13.el7_3	ipsilon-infosssd-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-persona	< 1.0.0-13.el7_3	ipsilon-persona-1.0.0-13.el7_3.noarch.rpm
CentOS	7	noarch	ipsilon-saml2	< 1.0.0-13.el7_3	ipsilon-saml2-1.0.0-13.el7_3.noarch.rpm