Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Ubuntu 24.10 USN-7309-1 Moderate: Ruby SAML Authentication Issue

ubuntu
Calendar Grey February 28, 2025
Dist Ubuntu Esm H88
Crucial enhancements addressing Python SAML security flaws in Ubuntu have been issued to bolster protective measures.
Several security issues were fixed in Ruby SAML.

Summary

Several security issues were fixed in Ruby SAML.

Software Description:

- ruby-saml: SAML toolkit for Ruby on Rails

Details:

It was discovered that Ruby SAML did not properly validate SAML responses.

An unauthenticated attacker could use this vulnerability to log in as an

abitrary user. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5697)

It was discovered that Ruby SAML incorrectly utilized the results of XML

DOM traversal and canonicalization APIs. An unauthenticated attacker could

use this vulnerability to log in as an abitrary user. This issue only

affected Ubuntu 16.04 LTS. (CVE-2017-11428)

It was discovered that Ruby SAML did not properly verify the signature of

the SAML Response, allowing multiple elements with the same ID. An

unauthenticated attacker could use this vulnerability to log in as an

abitrary user. (CVE-2024-45409)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   ruby-saml                       1.15.0-1ubuntu0.24.10.1

Ubuntu 24.04 LTS
   ruby-saml                       1.15.0-1ubuntu0.24.04.1

Ubuntu 22.04 LTS
   ruby-saml                       1.13.0-1ubuntu0.1

Ubuntu 20.04 LTS
   ruby-saml                       1.11.0-1ubuntu0.1

Ubuntu 18.04 LTS
   ruby-saml                       1.7.2-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   ruby-saml                       1.1.2-1ubuntu1+esm1
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-7309-1

  CVE-2016-5697, CVE-2017-11428, CVE-2024-45409

Ubuntu Security Notice USN-7309-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here