Critical security vulnerability for SimpleSAMLphp as service provider CVE-2019-3465

Will there be a patch to this for the Drupal 7 version of this module?

The issue may not apply to 1.16.x

Is this based on some inside knowledge / theorizing that it's a problem introduced in 1.17.x?

I have been notified directly from the maintainers of SimpleSAMLphp. The issue is focused on SimpleSAMLphp running in SP mode. It's not an issue with the simplesamlphp_auth module itself.

> The issue may not apply to 1.16.x

Thanks for the heads up. This is indeed quite important, as the 7.x version, which I don't maintain, doesn't support 1.17 yet. So updating D7 sites is going to be trickier.

I guess this can't be disclosed yet in advance. As a note to all D8 users, make sure you update to 3.1, which (only) supports the 1.17 version.

SimpleSAMLphp 1.17.7, with the fix for CVE 2019-3465, has just been released. The issue is in the xmlseclibs library used by SimpleSAMLphp. SimpleSAMLphp versions that use this library, including 1.16.x, are affected. If you can't update SimpleSAMLphp, you can patch xmlseclibs manually.

Do we know what the highest supported version for D7 is? Anything 1.16.x?

Right, but there is no fix in SimpleSAMLphp itself, it its release just updates the bundled dependencies? And if you install it through composer, which is the recommended approach IMHO on D8 (if your infrastructure can handle that), the you just need to update that specific dependency, I think?

> Do we know what the highest supported version for D7 is? Anything 1.16.x?

I think so. See #2953991: Warning because of changes in SimpleSAMLphp

Yes, the fix in SimpleSAMLphp was to update its xmlseclibs dependency which is included via the simplesamlphp/saml2 library.

For composer projects adding "robrichards/xmlseclibs": "^3.0.4", to the required packages in the composer.json of your project and then doing a "composer update" to update composer lockfile should force an updated xmlseclibs to be used, even when using an older SimpleSAMLphp.

The best fix is to ensure that you are using a current (i.e. 1.17.x) simplesamlphp IMO.

Any idea how critical this is? Could users with no login credentials exploit this?

According to https://groups.google.com/forum/#!msg/simplesamlphp-announce/J2U2Z0vFY6U... the details are embargoed until 2019-11-07 at "around 2 CET".. If that's Central European Time .. I think that means 13:00 UTC. We just did our annual clock changes in the US so not sure if any other offsets are needed.

All I needed to do to update was this:

composer require 'robrichards/xmlseclibs:3.0.4'
composer require 'simplesamlphp/simplesamlphp:1.17.7'

Note .. This doesn't change the constraints in this module's composer.json file.

Simply updating this module and its dependencies was enough for me.

composer update drupal/simplesamlphp_auth --with-dependencies

Adding additional requirement is unnecessary, they are managed by the module itself.

Hi Joseph,

You are correct, but the composer.json of the module also does not limit the upper version, so a clean install would also install the latest version of all the modules requirement.
Overlapping module requirements with a limited upper version however, will limit it.

I don't see the problems with my solution.

However, only updating the packages, as you mentioned, does introduce issues since, robrichards/xmlseclibs is a requirement of simplesamlphp/saml2 which is a dependency of simplesamlphp/simplesamlphp, so I'm missing the full update in your solution.

Regarding my comment earlier -- absolutely it would need to be unpinned later on.

The maintainer still thinks the the only thing that you have to update is robrichards/xmlseclibs, so composer update robrichards/xmlseclibs. all other changes in simplesamlphp/simplesamlphp and simplesamlphp/saml2 are unrelated bugfixes that ended up in those releases. You can see that all other changes in saml2 are from august/july for example.

Require ^1.17.7 and doing a new release is an option if someone wants to write a patch, but it's not required. Unlike simplesamlphp/simplesamlphp, we don't offer any bundled downloads that contain the vulnerable dependency and sites are responsible to update their composer dependencies.

https://www.drupal.org/psa-2019-09-04 explains that pretty clearly :)

I'm setting this back to active in case someone wants to propose a patch with that, but it won't help *that* much unless I would also release it as a security fix, which needs to be vetted by the security team. And that in turn wouldn't help those that don't have the dependency installed with composer :)

This is not my issue to play with, but could we delete the following prominent-ish information near the top of the original issue message, which feels misleading?

The issue may not apply to 1.16.x

We have every reason to believe that it does apply to 1.16.x because

• It's in xmlseclibs, not simplesamlphp.
• The SimpleSAMLphp maintainers, in their original pre-announcement two days ago, encouraged everyone to 1.17.6 in order to be able to patch quickly. They wouldn't have done that if 1.16 wasn't vulnerable, I think.
• No info have been given to support the above statement.

Absolutely, please remove it :)

OK.

I made a crude addition to the bottom of the original message. Feel free to add more info because I'm not testing an upgrade path. My issue is I'm not a user of the simplesamlphp_auth module, I just came here from a related issue.

I hope the D7 version did already pull in v3.0.3 of the xmlseclibs library, because then the changes to v3.0.4 (https://github.com/robrichards/xmlseclibs/commits/master) look really innocuous and people should just update the library.

We raised the min version now in #3097283: Allow updating to SimpleSAMLphp 1.18 and higher to fix security problem 201911-02