Security
Security
A vulnerability in PySAML2 might allow remote attackers to bypass authentication.
| Package | dev-python/pysaml2 on all architectures |
|---|---|
| Affected versions | < 4.0.2-r3 < 4.5.0 |
| Unaffected versions | >= 4.0.2-r3 >= 4.5.0 |
PySAML2 is a pure python implementation of SAML2
It was found that the PySAML2 relies on an assert statement to check the user’s password. A python optimizations might remove this assertion.
A remote attacker could bypass security restrictions and access any application which is using PySAML2 for authentication.
Disable python optimizations.
All PySAML2 4.0 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pysaml2-4.0.2-r3"
All PySAML2 4.5 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pysaml2-4.5.0"
Release date
January 11, 2018
Latest revision
January 12, 2018: 2
Severity
normal
Exploitable
remote
Bugzilla entries