CVE-2019-3465

NameCVE-2019-3465
DescriptionRob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1983-1, DSA-4560-1
NVD severitymedium
Debian Bugs944107

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)jessie1.13.1-2+deb8u1vulnerable
jessie (security)1.13.1-2+deb8u3fixed
stretch1.14.11-1+deb9u1vulnerable
stretch (security)1.14.11-1+deb9u2fixed
buster, buster (security)1.16.3-1+deb10u1fixed
bullseye, sid1.17.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsource(unstable)1.17.6-2944107
simplesamlphpsourcebuster1.16.3-1+deb10u1DSA-4560-1
simplesamlphpsourcejessie1.13.1-2+deb8u3DLA-1983-1
simplesamlphpsourcestretch1.14.11-1+deb9u2DSA-4560-1

Notes

https://groups.google.com/forum/#!msg/simplesamlphp-announce/2odMqz63z7k/6zQQeM91EwAJ
https://simplesamlphp.org/security/201911-01

Search for package or bug name: Reporting problems