CVE-2020-5390

Priority
Description
PySAML2 before 5.0.0 does not check that the signature in a SAML document
is enveloped and thus signature wrapping is effective, i.e., it is affected
by XML Signature Wrapping (XSW). The signature information and the
node/object that is signed can be in different places and thus the
signature verification will succeed, but the wrong data will be used. This
specifically affects the verification of assertion that have been signed.
Assigned-to
leosilva
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (3.0.0-3ubuntu1.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.0.2-0ubuntu3.1)
Ubuntu 19.10 (Eoan Ermine):released (4.5.0+dfsg1-0ubuntu2.19.10.1)
Ubuntu 20.04 (Focal Fossa):released (4.9.0-0ubuntu2)
More Information

Updated: 2020-01-29 20:05:43 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)