Ubuntu CVE Tracker

Merge ~elisehdy/ubuntu-cve-tracker:ruby-saml-update into ubuntu-cve-tracker:master

  1. Git
  2. lp:~elisehdy/ubuntu-cve-tracker
  3. ruby-saml-update
  4. Merge into master
Proposed by Elise Hlady
Status: Merged
Merged at revision: 1a153c5ad26875486a391d67ec102ed03c1ca172
Proposed branch: ~elisehdy/ubuntu-cve-tracker:ruby-saml-update
Merge into: ubuntu-cve-tracker:master
Diff against target: 122 lines (+20/-14)
3 files modified
retired/CVE-2016-5697 (+4/-2)
retired/CVE-2017-11428 (+4/-2)
retired/CVE-2024-45409 (+12/-10)
Reviewer Review Type Date Requested Status
Emilia Torino Needs Fixing
Eduardo Barretto Needs Fixing
Diogo Sousa Pending
Review via email: mp+482155@code.launchpad.net

Commit message

Update and retire CVE-2016-5697, CVE-2017-11428, and CVE-2024-45409.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Please unassign the CVEs, for more info check the CI failure log.

review: Needs Fixing
Revision history for this message
Emilia Torino (emitorino) wrote :

Thanks Elise for this MP! Have you run make dev_setup? This is part of the UCT setup instructions.

$ make dev_setup

This will install a git pre-commit hook that will run $UCT/scripts/check-syntax on your modified CVE files.

So in this case, if you see the failing build log (below at https://launchpadlibrarian.net/779396038/buildlog_ci_ubuntu-cve-tracker_4fd737ebe7d70abaa2d3bbeeb298dae190681d42_BUILDING.txt.gz), check-cves fail with:

:: /build/lpci/project/active/CVE-2023-22656: 40: package 'onevpl' not in 'plucky'
:: /build/lpci/project/active/CVE-2023-47282: 40: package 'onevpl' not in 'plucky'
:: /build/lpci/project/active/CVE-2023-48727: 28: package 'onevpl' not in 'plucky'

These can be ignored, since are not related to your change (its about plucky packages being updated as the release is on devel activities)

:: /build/lpci/project/retired/CVE-2016-5697: 16: CVE is retired, but has Assigned-to set to elisehdy, should be blank
:: /build/lpci/project/retired/CVE-2017-11428: 20: CVE is retired, but has Assigned-to set to elisehdy, should be blank
:: /build/lpci/project/retired/CVE-2024-45409: 22: CVE is retired, but has Assigned-to set to elisehdy, should be blank

But these 3 are: can you please un-assign yourself from the files?

Also, for CVE-2024-45409 and esm-releases, the status is still released. This is because someone running an ESM Ubuntu release, is/was affected at some point in time (before this update was produced). Setting it as not-affected might incorrectly asses a system.

review: Needs Fixing
Revision history for this message
Eduardo Barretto (ebarretto) :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/active/CVE-2016-5697 b/retired/CVE-2016-5697
2similarity index 94%
3rename from active/CVE-2016-5697
4rename to retired/CVE-2016-5697
5index 17cc987..1a43447 100644
6--- a/active/CVE-2016-5697
7+++ b/retired/CVE-2016-5697
8@@ -1,7 +1,9 @@
9+PublicDateAtUSN: 2017-01-23 21:59:00 UTC
10 Candidate: CVE-2016-5697
11 PublicDate: 2017-01-23 21:59:00 UTC
12 References:
13 https://www.cve.org/CVERecord?id=CVE-2016-5697
14+ https://ubuntu.com/security/notices/USN-7309-1
15 Description:
16 Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapping
17 attacks via unspecified vectors.
18@@ -11,7 +13,7 @@ Bugs:
19 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828076
20 Priority: medium
21 Discovered-by:
22-Assigned-to: elisehdy
23+Assigned-to:
24 CVSS:
25 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]
26
27@@ -27,7 +29,7 @@ vivid/stable-phone-overlay_ruby-saml: DNE
28 vivid/ubuntu-core_ruby-saml: DNE
29 wily_ruby-saml: ignored (end of life)
30 xenial_ruby-saml: ignored (end of standard support, was needed)
31-esm-apps/xenial_ruby-saml: needed
32+esm-apps/xenial_ruby-saml: released (1.1.2-1ubuntu1+esm1)
33 yakkety_ruby-saml: ignored (end of life)
34 zesty_ruby-saml: ignored (end of life)
35 artful_ruby-saml: ignored (end of life)
36diff --git a/active/CVE-2017-11428 b/retired/CVE-2017-11428
37similarity index 94%
38rename from active/CVE-2017-11428
39rename to retired/CVE-2017-11428
40index 70e3685..7608fcf 100644
41--- a/active/CVE-2017-11428
42+++ b/retired/CVE-2017-11428
43@@ -1,9 +1,11 @@
44+PublicDateAtUSN: 2019-04-17 14:29:00 UTC
45 Candidate: CVE-2017-11428
46 PublicDate: 2019-04-17 14:29:00 UTC
47 References:
48 https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
49 https://www.kb.cert.org/vuls/id/475445
50 https://www.cve.org/CVERecord?id=CVE-2017-11428
51+ https://ubuntu.com/security/notices/USN-7309-1
52 Description:
53 OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of
54 XML DOM traversal and canonicalization APIs in such a way that an attacker
55@@ -15,7 +17,7 @@ Notes:
56 Bugs:
57 Priority: medium
58 Discovered-by:
59-Assigned-to: elisehdy
60+Assigned-to:
61 CVSS:
62 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
63
64@@ -28,7 +30,7 @@ trusty_ruby-saml: DNE
65 trusty/esm_ruby-saml: DNE
66 esm-infra-legacy/trusty_ruby-saml: DNE
67 xenial_ruby-saml: ignored (end of standard support, was needed)
68-esm-apps/xenial_ruby-saml: needed
69+esm-apps/xenial_ruby-saml: released (1.1.2-1ubuntu1+esm1)
70 artful_ruby-saml: ignored (end of life)
71 bionic_ruby-saml: not-affected (1.7.2-1)
72 esm-apps/bionic_ruby-saml: not-affected (1.7.2-1)
73diff --git a/active/CVE-2024-45409 b/retired/CVE-2024-45409
74similarity index 72%
75rename from active/CVE-2024-45409
76rename to retired/CVE-2024-45409
77index e99e29d..95afa77 100644
78--- a/active/CVE-2024-45409
79+++ b/retired/CVE-2024-45409
80@@ -1,8 +1,10 @@
81+PublicDateAtUSN: 2024-09-10 19:15:00 UTC
82 Candidate: CVE-2024-45409
83 PublicDate: 2024-09-10 19:15:00 UTC
84 References:
85 https://www.cve.org/CVERecord?id=CVE-2024-45409
86 https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
87+ https://ubuntu.com/security/notices/USN-7309-1
88 Description:
89 The Ruby SAML library is for implementing the client side of a SAML
90 authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly
91@@ -17,7 +19,7 @@ Mitigation:
92 Bugs:
93 Priority: medium
94 Discovered-by:
95-Assigned-to: elisehdy
96+Assigned-to:
97 CVSS:
98 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
99
100@@ -26,13 +28,13 @@ Patches_ruby-saml:
101 upstream: https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7
102 upstream: https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae (1.12.x)
103 upstream_ruby-saml: released (1.17.0, 1.12.3)
104-esm-apps/xenial_ruby-saml: needed
105-esm-apps/bionic_ruby-saml: needed
106-focal_ruby-saml: needed
107-esm-apps/focal_ruby-saml: needed
108-jammy_ruby-saml: needed
109-esm-apps/jammy_ruby-saml: needed
110-noble_ruby-saml: needed
111-esm-apps/noble_ruby-saml: needed
112-oracular_ruby-saml: needed
113+esm-apps/xenial_ruby-saml: released (1.1.2-1ubuntu1+esm1)
114+esm-apps/bionic_ruby-saml: released (1.7.2-1ubuntu0.1~esm1)
115+focal_ruby-saml: released (1.11.0-1ubuntu0.1)
116+esm-apps/focal_ruby-saml: not-affected (1.11.0-1ubuntu0.1)
117+jammy_ruby-saml: released (1.13.0-1ubuntu0.1)
118+esm-apps/jammy_ruby-saml: not-affected (1.13.0-1ubuntu0.1)
119+noble_ruby-saml: released (1.15.0-1ubuntu0.24.04.1)
120+esm-apps/noble_ruby-saml: not-affected (1.15.0-1ubuntu0.24.04.1)
121+oracular_ruby-saml: released (1.15.0-1ubuntu0.24.10.1)
122 devel_ruby-saml: not-affected (1.17.0)

Subscribers

People subscribed via source and target branches