CVE-2017-12868

NameCVE-2017-12868
DescriptionThe secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1205-1, DLA-1408-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)jessie, jessie (lts)1.13.1-2+deb8u3fixed
stretch (security), stretch (lts), stretch1.14.11-1+deb9u2fixed
buster1.16.3-1+deb10u2fixed
buster (security), buster (lts)1.16.3-1+deb10u1fixed
bullseye1.19.0-1fixed
sid, trixie, bookworm1.19.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsourcewheezy1.9.2-1+deb7u1DLA-1205-1
simplesamlphpsourcejessie1.13.1-2+deb8u2DLA-1408-1
simplesamlphpsourcestretch(not affected)
simplesamlphpsource(unstable)1.14.15-1

Notes

[stretch] - simplesamlphp <not-affected> (Only affects setups with old PHP versions not found in stable)
https://simplesamlphp.org/security/201705-01
Patch: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1
Search for package or bug name: Reporting problems