CVE-2017-12868

NameCVE-2017-12868
DescriptionThe secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)wheezy1.9.2-1vulnerable
jessie1.13.1-2vulnerable
stretch1.14.11-1vulnerable
buster1.14.15-1fixed
sid1.15.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsource(unstable)1.14.15-1high

Notes

https://simplesamlphp.org/security/201705-01

Search for package or bug name: Reporting problems