Package: python-pysaml2 | Debian Sources

Package: python-pysaml2 / 3.0.0-5+deb9u1

Metadata

Package	Version	Patches format
python-pysaml2	3.0.0-5+deb9u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
fix xxe in xml parsing.patch \| (download)	setup.py \| 1 1 + 0 - 0 ! src/saml2/__init__.py \| 5 3 + 2 - 0 ! src/saml2/pack.py \| 3 2 + 1 - 0 ! src/saml2/soap.py \| 7 4 + 3 - 0 ! tests/test_03_saml2.py \| 27 27 + 0 - 0 ! tests/test_43_soap.py \| 43 43 + 0 - 0 ! tests/test_51_client.py \| 16 16 + 0 - 0 ! 7 files changed, 96 insertions(+), 6 deletions(-)	[patch] fix xxe in xml parsing (related to #366) This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue #366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue.
CVE 2020 5390.patch \| (download)	src/saml2/sigver.py \| 49 49 + 0 - 0 ! 1 file changed, 49 insertions(+)	[patch] fix xml signature wrapping (xsw) vulnerabilities PySAML2 did not check that the signature in a SAML document is enveloped and thus XML signature wrapping (XSW) was effective.

Patch

File delta

Description

fix xxe in xml parsing.patch | (download)

 [patch] fix xxe in xml parsing (related to #366)
 This fixes XXE issues on anything where pysaml2 parses XML directly as part of
 issue #366. It doesn't address the xmlsec issues discussed on that ticket as
 they are out of reach of a direct fix and need the underlying library to fix
 this issue.

CVE 2020 5390.patch | (download)

src/saml2/sigver.py | 49 49 + 0 - 0 !
1 file changed, 49 insertions(+)

 [patch] fix xml signature wrapping (xsw) vulnerabilities

PySAML2 did not check that the signature in a SAML document is enveloped and thus
XML signature wrapping (XSW) was effective.