Candidate: CVE-2017-16853
PublicDate: 2017-11-16 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16853
 https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d
 https://shibboleth.net/community/advisories/secadv_20171115.txt
 https://bugs.debian.org/881856
Description:
 The DynamicMetadataProvider class in
 saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in
 OpenSAML before 2.6.1 fails to properly configure itself with the
 MetadataFilter plugins and does not perform critical security checks such
 as signature verification, enforcement of validity periods, and other
 checks specific to deployments, aka CPPOST-105.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881856
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_opensaml2:
upstream_opensaml2: released (2.6.1-1)
precise/esm_opensaml2: DNE
trusty_opensaml2: released (2.5.3-2+deb8u2build0.14.04.1)
trusty/esm_opensaml2: DNE (trusty was released [2.5.3-2+deb8u2build0.14.04.1])
xenial_opensaml2: released (2.5.5-1ubuntu0.1)
zesty_opensaml2: released (2.6.0-4+deb9u1build0.17.04.1)
artful_opensaml2: released (2.6.0-4+deb9u1build0.17.10.1)
bionic_opensaml2: not-affected (2.6.1-1)
cosmic_opensaml2: not-affected (2.6.1-1)
devel_opensaml2: not-affected (2.6.1-1)