Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 24 Jun 2016 12:01:11 -0700 (PDT)
From: Alvaro Hoyos <alvaro.hoyos@...login.com>
To: rubysec-announce <rubysec-announce@...glegroups.com>
Cc: ruby-security-ann@...glegroups.com, oss-security@...ts.openwall.com
Subject: Re: [CVE-2016-5697] signature wrapping attack vulnerability in
 ruby-saml prior to version 1.3.0

Thanks to Robert Clancy from swrve.com for discovering and responsibly 
reporting this issue.

On Friday, June 24, 2016 at 11:35:34 AM UTC-7, Alvaro Hoyos wrote:
>
> Overview: 
> Ruby-saml prior to version 1.3.0 is vulnerable to an XML signature 
> wrapping attack. Ruby-saml users must update to 1.3.0 version which 
> implements 3 extra validations to mitigate this kind of attack.
>
> Overall CVSS Score 6.1
>
> Fix: Add extra validations to prevent Signature wrapping attacks [1]
>
> [1] https://github.com/onelogin/ruby-saml
>
> alvaro j hoyos | chief information security officer | 
> alvaro.hoyos@...login.com | +1 415.653.1893 | skype: alvaroonelogin
>

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ