Date: Fri, 24 Jun 2016 12:01:11 -0700 (PDT) From: Alvaro Hoyos <alvaro.hoyos@...login.com> To: rubysec-announce <rubysec-announce@...glegroups.com> Cc: ruby-security-ann@...glegroups.com, oss-security@...ts.openwall.com Subject: Re: [CVE-2016-5697] signature wrapping attack vulnerability in ruby-saml prior to version 1.3.0 Thanks to Robert Clancy from swrve.com for discovering and responsibly reporting this issue. On Friday, June 24, 2016 at 11:35:34 AM UTC-7, Alvaro Hoyos wrote: > > Overview: > Ruby-saml prior to version 1.3.0 is vulnerable to an XML signature > wrapping attack. Ruby-saml users must update to 1.3.0 version which > implements 3 extra validations to mitigate this kind of attack. > > Overall CVSS Score 6.1 > > Fix: Add extra validations to prevent Signature wrapping attacks  > >  https://github.com/onelogin/ruby-saml > > alvaro j hoyos | chief information security officer | > alvaro.hoyos@...login.com | +1 415.653.1893 | skype: alvaroonelogin > Content of type "text/html" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ