CVE-2019-3465

NameCVE-2019-3465
DescriptionRob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1983-1, DSA-4560-1
Debian Bugs944107

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)jessie, jessie (lts)1.13.1-2+deb8u3fixed
stretch (security), stretch (lts), stretch1.14.11-1+deb9u2fixed
buster1.16.3-1+deb10u2fixed
buster (security), buster (lts)1.16.3-1+deb10u1fixed
bullseye1.19.0-1fixed
sid, trixie, bookworm1.19.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsourcewheezy(unfixed)end-of-life
simplesamlphpsourcejessie1.13.1-2+deb8u3DLA-1983-1
simplesamlphpsourcestretch1.14.11-1+deb9u2DSA-4560-1
simplesamlphpsourcebuster1.16.3-1+deb10u1DSA-4560-1
simplesamlphpsource(unstable)1.17.6-2944107

Notes

https://groups.google.com/forum/#!msg/simplesamlphp-announce/2odMqz63z7k/6zQQeM91EwAJ
https://simplesamlphp.org/security/201911-01

Search for package or bug name: Reporting problems