| Name | CVE-2017-12868 |
| Description | The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1205-1, DLA-1408-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| simplesamlphp (PTS) | bullseye | 1.19.0-1 | fixed |
| sid, trixie, bookworm | 1.19.7-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| simplesamlphp | source | wheezy | 1.9.2-1+deb7u1 | DLA-1205-1 | ||
| simplesamlphp | source | jessie | 1.13.1-2+deb8u2 | DLA-1408-1 | ||
| simplesamlphp | source | stretch | (not affected) | |||
| simplesamlphp | source | (unstable) | 1.14.15-1 |
[stretch] - simplesamlphp <not-affected> (Only affects setups with old PHP versions not found in stable)
https://simplesamlphp.org/security/201705-01
Patch: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1