Debian 10225 Published by

A python-pysaml2 security update has been released for Debian GNU/Linux 8 Extended LTS to address a certificate verification bypass vulnerability.



ELA-644-1 python-pysaml2 security update

Package python-pysaml2
Version 2.0.0-1+deb8u4 (jessie)
Related CVEs CVE-2021-21239

A certificate verification bypass vulnerability was discovered in python-pysaml2, a library for exchanging SAML authentication tokens.

The default CryptoBackendXmlSec1 backend used the xmlsec1 binary to verify the signature of signed SAML documents but, by default, xmlsec1 accepted any type of key found within the given document; xmlsec1 actually needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature.

For Debian 8 jessie, these problems have been fixed in version 2.0.0-1+deb8u4.

We recommend that you upgrade your python-pysaml2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-644-1 python-pysaml2 security update