Ubuntu CVE Tracker

Merge ~elisehdy/ubuntu-cve-tracker:ruby-saml-update into ubuntu-cve-tracker:master

  1. Git
  2. lp:~elisehdy/ubuntu-cve-tracker
  3. ruby-saml-update
  4. Merge into master
Proposed by Elise Hlady
Status: Merged
Merged at revision: 1a153c5ad26875486a391d67ec102ed03c1ca172
Proposed branch: ~elisehdy/ubuntu-cve-tracker:ruby-saml-update
Merge into: ubuntu-cve-tracker:master
Diff against target: 122 lines (+20/-14)
3 files modified
retired/CVE-2016-5697 (+4/-2)
retired/CVE-2017-11428 (+4/-2)
retired/CVE-2024-45409 (+12/-10)
Reviewer Review Type Date Requested Status
Emilia Torino Needs Fixing
Eduardo Barretto Needs Fixing
Diogo Sousa Pending
Review via email: mp+482155@code.launchpad.net

Commit message

Update and retire CVE-2016-5697, CVE-2017-11428, and CVE-2024-45409.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Please unassign the CVEs, for more info check the CI failure log.

review: Needs Fixing
Revision history for this message
Emilia Torino (emitorino) wrote :

Thanks Elise for this MP! Have you run make dev_setup? This is part of the UCT setup instructions.

$ make dev_setup

This will install a git pre-commit hook that will run $UCT/scripts/check-syntax on your modified CVE files.

So in this case, if you see the failing build log (below at https://launchpadlibrarian.net/779396038/buildlog_ci_ubuntu-cve-tracker_4fd737ebe7d70abaa2d3bbeeb298dae190681d42_BUILDING.txt.gz), check-cves fail with:

:: /build/lpci/project/active/CVE-2023-22656: 40: package 'onevpl' not in 'plucky'
:: /build/lpci/project/active/CVE-2023-47282: 40: package 'onevpl' not in 'plucky'
:: /build/lpci/project/active/CVE-2023-48727: 28: package 'onevpl' not in 'plucky'

These can be ignored, since are not related to your change (its about plucky packages being updated as the release is on devel activities)

:: /build/lpci/project/retired/CVE-2016-5697: 16: CVE is retired, but has Assigned-to set to elisehdy, should be blank
:: /build/lpci/project/retired/CVE-2017-11428: 20: CVE is retired, but has Assigned-to set to elisehdy, should be blank
:: /build/lpci/project/retired/CVE-2024-45409: 22: CVE is retired, but has Assigned-to set to elisehdy, should be blank

But these 3 are: can you please un-assign yourself from the files?

Also, for CVE-2024-45409 and esm-releases, the status is still released. This is because someone running an ESM Ubuntu release, is/was affected at some point in time (before this update was produced). Setting it as not-affected might incorrectly asses a system.

review: Needs Fixing
Revision history for this message
Eduardo Barretto (ebarretto) :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/active/CVE-2016-5697 b/retired/CVE-2016-5697
0similarity index 94%0similarity index 94%
1rename from active/CVE-2016-56971rename from active/CVE-2016-5697
2rename to retired/CVE-2016-56972rename to retired/CVE-2016-5697
index 17cc987..1a43447 100644
--- a/active/CVE-2016-5697
+++ b/retired/CVE-2016-5697
@@ -1,7 +1,9 @@
1PublicDateAtUSN: 2017-01-23 21:59:00 UTC
1Candidate: CVE-2016-56972Candidate: CVE-2016-5697
2PublicDate: 2017-01-23 21:59:00 UTC3PublicDate: 2017-01-23 21:59:00 UTC
3References:4References:
4 https://www.cve.org/CVERecord?id=CVE-2016-56975 https://www.cve.org/CVERecord?id=CVE-2016-5697
6 https://ubuntu.com/security/notices/USN-7309-1
5Description:7Description:
6 Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapping8 Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapping
7 attacks via unspecified vectors.9 attacks via unspecified vectors.
@@ -11,7 +13,7 @@ Bugs:
11 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82807613 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828076
12Priority: medium14Priority: medium
13Discovered-by:15Discovered-by:
14Assigned-to: elisehdy16Assigned-to:
15CVSS:17CVSS:
16 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]18 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]
1719
@@ -27,7 +29,7 @@ vivid/stable-phone-overlay_ruby-saml: DNE
27vivid/ubuntu-core_ruby-saml: DNE29vivid/ubuntu-core_ruby-saml: DNE
28wily_ruby-saml: ignored (end of life)30wily_ruby-saml: ignored (end of life)
29xenial_ruby-saml: ignored (end of standard support, was needed)31xenial_ruby-saml: ignored (end of standard support, was needed)
30esm-apps/xenial_ruby-saml: needed32esm-apps/xenial_ruby-saml: released (1.1.2-1ubuntu1+esm1)
31yakkety_ruby-saml: ignored (end of life)33yakkety_ruby-saml: ignored (end of life)
32zesty_ruby-saml: ignored (end of life)34zesty_ruby-saml: ignored (end of life)
33artful_ruby-saml: ignored (end of life)35artful_ruby-saml: ignored (end of life)
diff --git a/active/CVE-2017-11428 b/retired/CVE-2017-11428
34similarity index 94%36similarity index 94%
35rename from active/CVE-2017-1142837rename from active/CVE-2017-11428
36rename to retired/CVE-2017-1142838rename to retired/CVE-2017-11428
index 70e3685..7608fcf 100644
--- a/active/CVE-2017-11428
+++ b/retired/CVE-2017-11428
@@ -1,9 +1,11 @@
1PublicDateAtUSN: 2019-04-17 14:29:00 UTC
1Candidate: CVE-2017-114282Candidate: CVE-2017-11428
2PublicDate: 2019-04-17 14:29:00 UTC3PublicDate: 2019-04-17 14:29:00 UTC
3References:4References:
4 https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations5 https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
5 https://www.kb.cert.org/vuls/id/4754456 https://www.kb.cert.org/vuls/id/475445
6 https://www.cve.org/CVERecord?id=CVE-2017-114287 https://www.cve.org/CVERecord?id=CVE-2017-11428
8 https://ubuntu.com/security/notices/USN-7309-1
7Description:9Description:
8 OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of10 OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of
9 XML DOM traversal and canonicalization APIs in such a way that an attacker11 XML DOM traversal and canonicalization APIs in such a way that an attacker
@@ -15,7 +17,7 @@ Notes:
15Bugs:17Bugs:
16Priority: medium18Priority: medium
17Discovered-by:19Discovered-by:
18Assigned-to: elisehdy20Assigned-to:
19CVSS:21CVSS:
20 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]22 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
2123
@@ -28,7 +30,7 @@ trusty_ruby-saml: DNE
28trusty/esm_ruby-saml: DNE30trusty/esm_ruby-saml: DNE
29esm-infra-legacy/trusty_ruby-saml: DNE31esm-infra-legacy/trusty_ruby-saml: DNE
30xenial_ruby-saml: ignored (end of standard support, was needed)32xenial_ruby-saml: ignored (end of standard support, was needed)
31esm-apps/xenial_ruby-saml: needed33esm-apps/xenial_ruby-saml: released (1.1.2-1ubuntu1+esm1)
32artful_ruby-saml: ignored (end of life)34artful_ruby-saml: ignored (end of life)
33bionic_ruby-saml: not-affected (1.7.2-1)35bionic_ruby-saml: not-affected (1.7.2-1)
34esm-apps/bionic_ruby-saml: not-affected (1.7.2-1)36esm-apps/bionic_ruby-saml: not-affected (1.7.2-1)
diff --git a/active/CVE-2024-45409 b/retired/CVE-2024-45409
35similarity index 72%37similarity index 72%
36rename from active/CVE-2024-4540938rename from active/CVE-2024-45409
37rename to retired/CVE-2024-4540939rename to retired/CVE-2024-45409
index e99e29d..95afa77 100644
--- a/active/CVE-2024-45409
+++ b/retired/CVE-2024-45409
@@ -1,8 +1,10 @@
1PublicDateAtUSN: 2024-09-10 19:15:00 UTC
1Candidate: CVE-2024-454092Candidate: CVE-2024-45409
2PublicDate: 2024-09-10 19:15:00 UTC3PublicDate: 2024-09-10 19:15:00 UTC
3References:4References:
4 https://www.cve.org/CVERecord?id=CVE-2024-454095 https://www.cve.org/CVERecord?id=CVE-2024-45409
5 https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx26 https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
7 https://ubuntu.com/security/notices/USN-7309-1
6Description:8Description:
7 The Ruby SAML library is for implementing the client side of a SAML9 The Ruby SAML library is for implementing the client side of a SAML
8 authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly10 authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly
@@ -17,7 +19,7 @@ Mitigation:
17Bugs:19Bugs:
18Priority: medium20Priority: medium
19Discovered-by:21Discovered-by:
20Assigned-to: elisehdy22Assigned-to:
21CVSS:23CVSS:
22 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]24 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
2325
@@ -26,13 +28,13 @@ Patches_ruby-saml:
26 upstream: https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae728 upstream: https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7
27 upstream: https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae (1.12.x)29 upstream: https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae (1.12.x)
28upstream_ruby-saml: released (1.17.0, 1.12.3)30upstream_ruby-saml: released (1.17.0, 1.12.3)
29esm-apps/xenial_ruby-saml: needed31esm-apps/xenial_ruby-saml: released (1.1.2-1ubuntu1+esm1)
30esm-apps/bionic_ruby-saml: needed32esm-apps/bionic_ruby-saml: released (1.7.2-1ubuntu0.1~esm1)
31focal_ruby-saml: needed33focal_ruby-saml: released (1.11.0-1ubuntu0.1)
32esm-apps/focal_ruby-saml: needed34esm-apps/focal_ruby-saml: not-affected (1.11.0-1ubuntu0.1)
33jammy_ruby-saml: needed35jammy_ruby-saml: released (1.13.0-1ubuntu0.1)
34esm-apps/jammy_ruby-saml: needed36esm-apps/jammy_ruby-saml: not-affected (1.13.0-1ubuntu0.1)
35noble_ruby-saml: needed37noble_ruby-saml: released (1.15.0-1ubuntu0.24.04.1)
36esm-apps/noble_ruby-saml: needed38esm-apps/noble_ruby-saml: not-affected (1.15.0-1ubuntu0.24.04.1)
37oracular_ruby-saml: needed39oracular_ruby-saml: released (1.15.0-1ubuntu0.24.10.1)
38devel_ruby-saml: not-affected (1.17.0)40devel_ruby-saml: not-affected (1.17.0)

Subscribers

People subscribed via source and target branches