CVE-2020-5390 (https://nvd.nist.gov/vuln/detail/CVE-2020-5390): PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. Upstream patch: https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb6782d4bdfaedc803fd0e70791f5af297210c59 commit fb6782d4bdfaedc803fd0e70791f5af297210c59 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-02-28 16:29:16 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-02-28 16:29:46 +0000 dev-python/pysaml2: cleanup Bug: https://bugs.gentoo.org/710732 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> dev-python/pysaml2/Manifest | 1 - dev-python/pysaml2/pysaml2-4.6.3-r1.ebuild | 40 ------------------------------ dev-python/pysaml2/pysaml2-4.6.3.ebuild | 29 ---------------------- dev-python/pysaml2/pysaml2-4.6.5.ebuild | 40 ------------------------------ 4 files changed, 110 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb commit e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-02-28 16:28:00 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-02-28 16:29:44 +0000 dev-python/pysaml2: 4.6.5-r1 added fast stable for CVE-2020-5390 Bug: https://bugs.gentoo.org/710732 Package-Manager: Portage-2.3.84, Repoman-2.3.20 RepoMan-Options: --force Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> dev-python/pysaml2/files/cve-2020-5390.patch | 189 +++++++++++++++++++++++++++ dev-python/pysaml2/metadata.xml | 2 +- dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild | 42 ++++++ 3 files changed, 232 insertions(+), 1 deletion(-)
fixed, fast stable with cleanup
Thanks all, tree is clean.