Package: python-pysaml2 / 3.0.0-5+deb9u1

Metadata

Package Version Patches format
python-pysaml2 3.0.0-5+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix xxe in xml parsing.patch | (download)

setup.py | 1 1 + 0 - 0 !
src/saml2/__init__.py | 5 3 + 2 - 0 !
src/saml2/pack.py | 3 2 + 1 - 0 !
src/saml2/soap.py | 7 4 + 3 - 0 !
tests/test_03_saml2.py | 27 27 + 0 - 0 !
tests/test_43_soap.py | 43 43 + 0 - 0 !
tests/test_51_client.py | 16 16 + 0 - 0 !
7 files changed, 96 insertions(+), 6 deletions(-)

 [patch] fix xxe in xml parsing (related to #366)
 This fixes XXE issues on anything where pysaml2 parses XML directly as part of
 issue #366. It doesn't address the xmlsec issues discussed on that ticket as
 they are out of reach of a direct fix and need the underlying library to fix
 this issue.
CVE 2020 5390.patch | (download)

src/saml2/sigver.py | 49 49 + 0 - 0 !
1 file changed, 49 insertions(+)

 [patch] fix xml signature wrapping (xsw) vulnerabilities

PySAML2 did not check that the signature in a SAML document is enveloped and thus
XML signature wrapping (XSW) was effective.