Credentials exposure in session storage

More info at https://simplesamlphp.org/security/201812-01...

Authentication Bypass

SimpleSAMLphp is vulnerable to authentication bypasses. A malicious user can pass an unsigned SAML response with multiple assertions to the application. As long as one of the assertions are valid the application will consider the SAML response valid and grant access to the malicious user...

Debian: Security Advisory (DLA-1408-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DLA-1408-1 : simplesamlphp security update

CVE-2017-12872 / CVE-2017-12868 The 1 Htpasswd authentication source in the authcrypt module and 2 SimpleSAMLSession class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret...

[SECURITY] [DLA 1408-1] simplesamlphp security update

Package : simplesamlphp Version : 1.13.1-2+deb8u2 CVE ID : CVE-2017-12868 CVE-2017-12872 CVE-2017-12872 / CVE-2017-12868 The 1 Htpasswd authentication source in the authcrypt module and 2 SimpleSAMLSession class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing...

DLA-1408-1 simplesamlphp - security update

Bulletin has no description...

Cross-site Scripting (XSS)

simplesamlphp is vulnerable to cross-site scripting XSS attacks. A malicious user can craft URLs that include Javascript to pass to another user for execution through the setConsentText function in the consentAdmin module. This vulnerability requires the consentAdmin module to be enabled and...

Bypassing Signature Validation

simplesamlphp is vulnerable to bypassing signature validation. There is a flaw in signature verification on SAML assertions which allows construction of a crafted SAML assertion on behalf of an Identity Provider. Consequently, an attacker can impersonate a user from that Identity Provider...

Information disclosure of source code

More info at https://simplesamlphp.org/security/202004-01...

[SECURITY] Fedora 28 Update: php-simplesamlphp-saml2_3-3.1.4-3.fc28

A PHP library for SAML2 related functionality. Extracted from SimpleSAMLphp 1, used by OpenConext 2. This library started as a collaboration between UNINETT 3 and SURFnet 4 but everyone is invited to contribute. Autoloader: /usr/share/php/SAML23/autoload.php 1 https://www.simplesamlphp.org/ 2...

[SECURITY] Fedora 28 Update: php-simplesamlphp-saml2-2.3.8-1.fc28

A PHP library for SAML2 related functionality. Extracted from SimpleSAMLphp 1, used by OpenConext 2. This library started as a collaboration between UNINETT 3 and SURFnet 4 but everyone is invited to contribute. Autoloader: /usr/share/php/SAML2/autoload.php 1 https://www.simplesamlphp.org/ 2...

Fedora 27 : php-simplesamlphp-saml2_1 (2018-96601292a2)

SSPSA 201803-01 / CVE-2018-7711 - SSPSA 201802-01 / CVE-2018-7644 - SSPSA 201801-01 / CVE-2018-6519 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much...

Fedora 27 : php-simplesamlphp-saml2_3 (2018-37e28670f2)

SSPSA 201803-01 / CVE-2018-7711 - SSPSA 201802-01 / CVE-2018-7644 - SSPSA 201801-01 / CVE-2018-6519 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much...

Debian DLA-1314-1 : simplesamlphp security update

Cure53 discovered that in SimpleSAMLphp, in rare circumstances an invalid signature on the SAML 2.0 HTTP Redirect binding could be considered valid. Additionally this update fixes a regression introduced in DLA-1298 by the backported patch for SSA-201802-01/CVE-2018-7644. For Debian 7 'Wheezy',...

Fedora 26 : php-simplesamlphp-saml2_1 (2018-d809bd2fd6)

SSPSA 201803-01 / CVE-2018-7711 - SSPSA 201802-01 / CVE-2018-7644 - SSPSA 201801-01 / CVE-2018-6519 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much...

Fedora 27 : php-simplesamlphp-saml2 (2018-6db40b0c37)

SSPSA 201803-01 / CVE-2018-7711 - SSPSA 201802-01 / CVE-2018-7644 - SSPSA 201801-01 / CVE-2018-6519 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much...

Fedora 26 : php-simplesamlphp-saml2 (2018-f4ab4d96f9)

SSPSA 201803-01 / CVE-2018-7711 - SSPSA 201802-01 / CVE-2018-7644 - SSPSA 201801-01 / CVE-2018-6519 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much...

Fedora 26 : php-simplesamlphp-saml2_3 (2018-f2097d8937)

SSPSA 201803-01 / CVE-2018-7711 - SSPSA 201802-01 / CVE-2018-7644 - SSPSA 201801-01 / CVE-2018-6519 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much...

Fedora Update for php-simplesamlphp-saml2 FEDORA-2018-6db40b0c37

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian: Security Advisory (DLA-1298-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...