pysaml2 version 4.4.0 and older accept any password when run with python
optimizations enabled. This allows attackers to log in as any user without
knowing their password.
@ Maintainer(s): Please cleanup and drop =dev-python/pysaml2-4.0.2-r1!
GLSA Vote: Yes!
New GLSA request filed.
This issue was resolved and addressed in
GLSA 201801-11 at https://security.gentoo.org/glsa/201801-11
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup!
@ Maintainer(s): Please cleanup an drop =dev-python/pysaml2-4.0.2-r1!
keystone requires pysaml2 4.0.2 (tested with 4.5, didn't pass tests).
I've patched 4.0.2 in r2, let me know if that's sufficient to stablize
Looks like you have missed to patch "verify()" method. See https://github.com/jkakavas/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5 and https://github.com/jkakavas/pysaml2/blob/4.0.0/src/saml2/authn.py#L180
ok, fixed in 4.0.3-r3
OK, we now have to stabilize =dev-python/pysaml2-4.0.2-r3. I already updated the GLSA.
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <firstname.lastname@example.org>
AuthorDate: 2018-01-12 19:34:01 +0000
Commit: Thomas Deutschmann <email@example.com>
CommitDate: 2018-01-12 19:34:01 +0000
dev-python/pysaml2: x86 stable
Package-Manager: Portage-2.3.19, Repoman-2.3.6
dev-python/pysaml2/pysaml2-4.0.2-r3.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)}
Maintainer(s), please cleanup.
cleaned up, removing from cc
Repository is clean, all done.