Several security issues were fixed in Ruby SAML.
Software Description:
- ruby-saml: SAML toolkit for Ruby on Rails
Details:
It was discovered that Ruby SAML did not properly validate SAML responses.
An unauthenticated attacker could use this vulnerability to log in as an
abitrary user. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5697)
It was discovered that Ruby SAML incorrectly utilized the results of XML
DOM traversal and canonicalization APIs. An unauthenticated attacker could
use this vulnerability to log in as an abitrary user. This issue only
affected Ubuntu 16.04 LTS. (CVE-2017-11428)
It was discovered that Ruby SAML did not properly verify the signature of
the SAML Response, allowing multiple elements with the same ID. An
unauthenticated attacker could use this vulnerability to log in as an
abitrary user. (CVE-2024-45409)
The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 ruby-saml 1.15.0-1ubuntu0.24.10.1 Ubuntu 24.04 LTS ruby-saml 1.15.0-1ubuntu0.24.04.1 Ubuntu 22.04 LTS ruby-saml 1.13.0-1ubuntu0.1 Ubuntu 20.04 LTS ruby-saml 1.11.0-1ubuntu0.1 Ubuntu 18.04 LTS ruby-saml 1.7.2-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS ruby-saml 1.1.2-1ubuntu1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes.
https://ubuntu.com/security/notices/USN-7309-1
CVE-2016-5697, CVE-2017-11428, CVE-2024-45409
Get the latest Linux and open source security news straight to your inbox.