Candidate: CVE-2016-9814
PublicDate: 2017-02-17 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814
 https://simplesamlphp.org/security/201612-01
 https://github.com/simplesamlphp/saml2/pull/81
 https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c
 http://www.openwall.com/lists/oss-security/2016/12/03/5
Description:
 The validateSignature method in the SAML2\Utils class in SimpleSAMLphp
 before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before
 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML
 responses or possibly cause a denial of service (memory consumption) by
 leveraging improper conversion of return values to boolean.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H [9.1 CRITICAL]

Patches_simplesamlphp:
upstream_simplesamlphp: released (1.14.10-1)
precise_simplesamlphp: ignored (reached end-of-life)
precise/esm_simplesamlphp: DNE (precise was needed)
trusty_simplesamlphp: ignored (reached end-of-life)
trusty/esm_simplesamlphp: DNE (trusty was needed)
vivid/stable-phone-overlay_simplesamlphp: DNE
vivid/ubuntu-core_simplesamlphp: DNE
xenial_simplesamlphp: ignored (end of standard support, was needed)
yakkety_simplesamlphp: ignored (reached end-of-life)
zesty_simplesamlphp: ignored (reached end-of-life)
artful_simplesamlphp: ignored (reached end-of-life)
bionic_simplesamlphp: not-affected
cosmic_simplesamlphp: not-affected
disco_simplesamlphp: not-affected
eoan_simplesamlphp: not-affected
focal_simplesamlphp: not-affected
groovy_simplesamlphp: not-affected
hirsute_simplesamlphp: not-affected
impish_simplesamlphp: not-affected
jammy_simplesamlphp: not-affected
devel_simplesamlphp: not-affected