CVE-2017-1000433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000433): pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
@ Maintainer(s): Please cleanup and drop =dev-python/pysaml2-4.0.2-r1! GLSA Vote: Yes! New GLSA request filed.
This issue was resolved and addressed in GLSA 201801-11 at https://security.gentoo.org/glsa/201801-11 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup! @ Maintainer(s): Please cleanup an drop =dev-python/pysaml2-4.0.2-r1!
keystone requires pysaml2 4.0.2 (tested with 4.5, didn't pass tests). I've patched 4.0.2 in r2, let me know if that's sufficient to stablize
Looks like you have missed to patch "verify()" method. See https://github.com/jkakavas/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5 and https://github.com/jkakavas/pysaml2/blob/4.0.0/src/saml2/authn.py#L180
ok, fixed in 4.0.3-r3
OK, we now have to stabilize =dev-python/pysaml2-4.0.2-r3. I already updated the GLSA.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56e17e588296fd1522b5f468d9a35c920e3910a9 commit 56e17e588296fd1522b5f468d9a35c920e3910a9 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-12 19:34:01 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-12 19:34:01 +0000 dev-python/pysaml2: x86 stable Bug: https://bugs.gentoo.org/644016 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-python/pysaml2/pysaml2-4.0.2-r3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
amd64 stable. Maintainer(s), please cleanup.
cleaned up, removing from cc
Repository is clean, all done.
