Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jun 2016 10:14:46 -0700
From: Alvaro Hoyos <alvaro.hoyos@...login.com>
To: ruby-security-ann@...glegroups.com, rubysec-announce@...glegroups.com, 
	oss-security@...ts.openwall.com
Subject: [CVE-2016-5697] signature wrapping attack vulnerability in ruby-saml
 prior to version 1.3.0

Overview:
Ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping
attack. Ruby-saml users must update to 1.3.0 version which implements 3
extra validations to mitigate this kind of attack.

Overall CVSS Score 6.1

Fix: Add extra validations to prevent Signature wrapping attacks [1]

[1] https://github.com/onelogin/ruby-saml

alvaro j hoyos | chief information security officer |
alvaro.hoyos@...login.com | +1 415.653.1893 | skype: alvaroonelogin

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ