GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Jan 11, 2018 11:26 pm Post subject: [ GLSA 201801-11 ] PySAML2 |
|
|
Gentoo Linux Security Advisory
Title: PySAML2: Security bypass (GLSA 201801-11)
Severity: normal
Exploitable: remote
Date: 2018-01-11
Bug(s): #644016
ID: 201801-11
Synopsis
A vulnerability in PySAML2 might allow remote attackers to bypass
authentication.
Background
PySAML2 is a pure python implementation of SAML2
Affected Packages
Package: dev-python/pysaml2
Vulnerable: < 4.0.2-r3
Vulnerable: < 4.5.0
Unaffected: >= 4.0.2-r3
Unaffected: >= 4.5.0
Architectures: All supported architectures
Description
It was found that the PySAML2 relies on an assert statement to check the
user’s password. A python optimizations might remove this assertion.
Impact
A remote attacker could bypass security restrictions and access any
application which is using PySAML2 for authentication.
Workaround
Disable python optimizations.
Resolution
All PySAML2 4.0 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pysaml2-4.0.2-r3"
| All PySAML2 4.5 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pysaml2-4.5.0"
|
References
CVE-2017-1000433
Last edited by GLSA on Mon Jan 15, 2018 4:17 am; edited 2 times in total |
|