Candidate: CVE-2017-12868
PublicDate: 2017-09-01 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12868
 https://simplesamlphp.org/security/201705-01
Description:
 The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in
 SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows
 attackers to conduct session fixation attacks or possibly bypass
 authentication by leveraging missing character conversions before an XOR
 operation.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_simplesamlphp:
upstream_simplesamlphp: released (1.14.15-1)
precise/esm_simplesamlphp: DNE
trusty_simplesamlphp: ignored (reached end-of-life)
trusty/esm_simplesamlphp: DNE (trusty was needed)
vivid/ubuntu-core_simplesamlphp: DNE
xenial_simplesamlphp: ignored (end of standard support, was needed)
zesty_simplesamlphp: ignored (reached end-of-life)
artful_simplesamlphp: not-affected (1.14.15-1)
bionic_simplesamlphp: not-affected (1.14.15-1)
cosmic_simplesamlphp: not-affected (1.14.15-1)
disco_simplesamlphp: not-affected (1.14.15-1)
eoan_simplesamlphp: not-affected (1.14.15-1)
focal_simplesamlphp: not-affected (1.14.15-1)
groovy_simplesamlphp: not-affected (1.14.15-1)
hirsute_simplesamlphp: not-affected (1.14.15-1)
impish_simplesamlphp: not-affected (1.14.15-1)
jammy_simplesamlphp: not-affected (1.14.15-1)
devel_simplesamlphp: not-affected (1.14.15-1)