Bug#686344: marked as done (unblock: simplesamlphp/1.9.2.-1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 31 Aug 2012 14:06:08 +0200
with message-id <5040A8B0.60201@thykier.net>
and subject line Re: Bug#686344: unblock: simplesamlphp/1.9.2.-1
has caused the Debian Bug report #686344,
regarding unblock: simplesamlphp/1.9.2.-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
686344: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686344
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: simplesamlphp/1.9.2.-1
• From: Thijs Kinkhorst <thijs@debian.org>
• Date: Fri, 31 Aug 2012 13:26:34 +0200
• Message-id: <[🔎] 20120831112634.6520.51449.reportbug@incagijs.uvt.nl>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package simplesamlphp. It's a security-update only release
that further tightens the screws on the security issue addressed in 1.9.1,
after further discussion with the scientists who discovered the issue.

The debdiff is very simple.

Please
unblock simplesamlphp/1.9.2.-1


Thanks,
Thijs

diff -Nru simplesamlphp-1.9.1/debian/changelog simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.000000000 +0200
+++ simplesamlphp-1.9.2/debian/changelog	2012-08-29 17:45:36.000000000 +0200
@@ -1,3 +1,11 @@
+simplesamlphp (1.9.2-1) unstable; urgency=medium
+
+  * New upstream security release:
+    Fix possible issue in PKCS 1.5 encryption when a key is
+    correctly decrypted but its length is not the one expected.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Wed, 29 Aug 2012 15:43:31 +0000
+
 simplesamlphp (1.9.1-1) unstable; urgency=medium
 
   * New upstream security release:
diff -Nru simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.000000000 +0200
+++ simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt	2012-08-29 10:19:20.000000000 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.2
+
+Released 2012-08-29
+
+  * Fix related to the security issue addressed in version 1.9.1.
+
 ## Version 1.9.1
 
 Released 2012-08-02.
diff -Nru simplesamlphp-1.9.1/lib/SAML2/Utils.php simplesamlphp-1.9.2/lib/SAML2/Utils.php
--- simplesamlphp-1.9.1/lib/SAML2/Utils.php	2012-08-02 08:25:23.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SAML2/Utils.php	2012-08-29 10:19:12.000000000 +0200
@@ -393,6 +393,10 @@
 
 			try {
 				$key = $encKey->decryptKey($symmetricKeyInfo);
+				if (strlen($key) != $keySize) {
+					throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' .
+										var_export($symmetricKey->type, TRUE));
+				}
 			} catch (Exception $e) {
 				/* We failed to decrypt this key. Log it, and substitute a "random" key. */
 				SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
diff -Nru simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php	2012-08-02 08:28:37.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php	2012-08-29 11:16:57.000000000 +0200
@@ -5,7 +5,7 @@
  *
  * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
  * @package simpleSAMLphp
- * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
+ * @version $Id: Configuration.php 3152 2012-08-29 09:16:57Z jaimepc@gmail.com $
  */
 class SimpleSAML_Configuration {
 
@@ -295,7 +295,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.9.1';
+		return '1.9.2';
 	}
 
 

--- End Message ---

--- Begin Message ---

• To: Thijs Kinkhorst <thijs@debian.org>, 686344-done@bugs.debian.org
• Subject: Re: Bug#686344: unblock: simplesamlphp/1.9.2.-1
• From: Niels Thykier <niels@thykier.net>
• Date: Fri, 31 Aug 2012 14:06:08 +0200
• Message-id: <5040A8B0.60201@thykier.net>
• In-reply-to: <[🔎] 20120831112634.6520.51449.reportbug@incagijs.uvt.nl>
• References: <[🔎] 20120831112634.6520.51449.reportbug@incagijs.uvt.nl>

On 2012-08-31 13:26, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> Please unblock package simplesamlphp. It's a security-update only release
> that further tightens the screws on the security issue addressed in 1.9.1,
> after further discussion with the scientists who discovered the issue.
> 
> The debdiff is very simple.
> 
> Please
> unblock simplesamlphp/1.9.2.-1
> 
> 
> Thanks,
> Thijs

Unblocked, thanks.

~Niels

--- End Message ---