Bug 1392829 (CVE-2016-8638)
Summary: | CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessions | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | cbuissar, grocha, ksiddiqu, psampaio, puiterwijk, rcritten, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: |
A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-11-21 13:36:27 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1394116, 1394117, 1396973 | ||||||
Bug Blocks: | 1392831 | ||||||
Attachments: |
|
Description
Adam Mariš
2016-11-08 10:34:27 UTC
Acknowledgments: Name: Patrick Uiterwijk (Red Hat), Howard Johnson Created attachment 1218514 [details]
Upstream patch
Created ipsilon tracking bugs for this issue: Affects: fedora-all [bug 1396973] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2809 https://rhn.redhat.com/errata/RHSA-2016-2809.html *** Bug 1526610 has been marked as a duplicate of this bug. *** |