OpenSAML and Shadow update for Debian ELTS

Debian 10421 Published by

Debian GNU/Linux ELTS has been updated with security updates for OpenSAML and Shadow:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1395-1 shadow security update

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1394-1 opensaml2 security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1393-1 opensaml security update



ELA-1393-1 opensaml security update


Package : opensaml

Version : 3.0.1-1+deb10u1 (buster)

Related CVEs :
CVE-2025-31335

Alexander Tan discovered that the OpenSAML C++ library was susceptible
to forging of signed SAML messages. For additional details please refer
to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20250313.txt
For Debian 8 (jessie) and 9 (stretch), see separate ELA-1394-1 for opensaml2.


ELA-1393-1 opensaml security update



ELA-1394-1 opensaml2 security update


Package : opensaml2

Version : 2.5.3-2+deb8u3 (jessie), 2.6.0-4+deb9u2 (stretch)

Related CVEs :
CVE-2025-31335

Alexander Tan discovered that the OpenSAML C++ library was susceptible
to forging of signed SAML messages. For additional details please refer
to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20250313.txt
For Debian 10 (buster), see separate ELA-1393-1 for opensaml.


ELA-1394-1 opensaml2 security update



ELA-1395-1 shadow security update


Package : shadow
Version : 1:4.2-3+deb8u6 (jessie)

Related CVEs :
CVE-2023-4641
CVE-2023-29383

Several vulnerabilities were discovered in the shadow suite of login
tools. An attacker may extract a password from memory in limited
situations, and confuse an administrator inspecting /etc/passwd from
within a terminal.

CVE-2023-4641
When asking for a new password, shadow-utils asks the password
twice. If the password fails on the second attempt, shadow-utils
fails in cleaning the buffer used to store the first entry. This may
allow an attacker with enough access to retrieve the password from
the memory.

CVE-2023-29383
It is possible to inject control characters into fields provided to
the SUID program chfn (change finger). Although it is not possible
to exploit this directly (e.g., adding a new user fails because \n
is in the block list), it is possible to misrepresent the
/etc/passwd file when viewed.


ELA-1395-1 shadow security update


Docker, 7-Zip, QuickJS updates for Ubuntu

Windows 11 Build 22631.5261 (Release Preview Channel) released

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.org  I ...