Candidate: CVE-2016-9955
PublicDate: 2017-02-17 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9955
 https://simplesamlphp.org/security/201612-02
 https://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205
 http://www.openwall.com/lists/oss-security/2016/12/14/7
Description:
 The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before
 1.14.11 might allow remote attackers to spoof signatures on SAML 1
 responses or possibly cause a denial of service (memory consumption) by
 leveraging improper conversion of return values to boolean.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Thijs Kinkhorst
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H [6.3 MEDIUM]

Patches_simplesamlphp:
upstream_simplesamlphp: released (1.14.11-1)
precise_simplesamlphp: ignored (reached end-of-life)
precise/esm_simplesamlphp: DNE (precise was needed)
trusty_simplesamlphp: ignored (reached end-of-life)
trusty/esm_simplesamlphp: DNE (trusty was needed)
vivid/stable-phone-overlay_simplesamlphp: DNE
vivid/ubuntu-core_simplesamlphp: DNE
xenial_simplesamlphp: ignored (end of standard support, was needed)
yakkety_simplesamlphp: ignored (reached end-of-life)
zesty_simplesamlphp: not-affected
artful_simplesamlphp: not-affected
bionic_simplesamlphp: not-affected
cosmic_simplesamlphp: not-affected
disco_simplesamlphp: not-affected
eoan_simplesamlphp: not-affected
focal_simplesamlphp: not-affected
groovy_simplesamlphp: not-affected
hirsute_simplesamlphp: not-affected
impish_simplesamlphp: not-affected
jammy_simplesamlphp: not-affected
devel_simplesamlphp: not-affected