OpenConext ciritical security update

6 views
Skip to first unread message

Bart Geesink

unread,
Nov 7, 2019, 3:45:34 PM11/7/19
to openc...@googlegroups.com
Hi all,

As some of you might have heard already, a critical security issue has been identified in
XMLSecLibs, a PHP library that handles XMLsignatures. CVE-2019-3465 has been assigned to this
vulnerability. This library is used in several OpenConext applications: Engineblock, Profile, and
the applications from the Stepup stack: Stepup-Gateway, Stepup-SelfService, Stepup-RA, Stepup-tiqr
and Stepup-Middleware. The last two applications have the library but are not vulerable to attack.
A full description of the vulnerability can be found here:
https://www.hackmanit.de/en/blog-en/82-xml-signature-validation-bypass-in-simplesamlphp-and-xmlseclibs

You are strongly advised to update as soon as possible. The following versions have been made
available already:
engineblock 5.13.3 (please check
https://github.com/OpenConext/OpenConext-engineblock/blob/master/UPGRADING.md if you are still on
5.11 or below)
profile 1.2.3
Stepup-SelfService 3.0.1
Stepup-RA 3.0.1
Stepup-Middleware 3.0.2
Stepup-Tiqr 2.1.15

We are working to release updated versions of all affected application as soon as possible and
expect to have these ready tomorrow. An alternative way to fix the issue is to replace
/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php in the affected applications by the version
that contains the fix (see:
https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5#diff-05b92a58f22f944cfd5da0e057d4563b)


If you have any questions, feel free to contact this list.

Regards,
Bart

signature.asc
Reply all
Reply to author
Forward
0 new messages