Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1392829 - (CVE-2016-8638) CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessions
CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessions
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20161121,repo...
: Security
: 1526610 (view as bug list)
Depends On: 1394116 1394117 1396973
Blocks: 1392831
  Show dependency treegraph
 
Reported: 2016-11-08 05:34 EST by Adam Mariš
Modified: 2017-12-19 08:32 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-21 08:36:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch (8.61 KB, patch)
2016-11-08 07:34 EST, Adam Mariš 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2809 normal SHIPPED_LIVE Important: ipsilon security update 2016-11-21 11:22:07 EST

  None (edit)
Description Adam Mariš 2016-11-08 05:34:27 EST 
Description
===========

A vulnerability in ipsilon was found that allows attacker to log out active
sessions of other users. This issue is related to how it tracks sessions, and
allows an unauthenticated attacker to view and terminate active sessions from
other users.


Affected versions
=================

All versions of Ipsilon 2.0 before 2.0.2 are vulnerable.
All versions of Ipsilon 1.2 before 1.2.1 are vulnerable.
All versions of Ipsilon 1.1 before 1.1.2 are vulnerable.
All versions of Ipsilon 1.0 before 1.0.3 are vulnerable.

Reference
=========
https://ipsilon-project.org/advisory/CVE-2016-8638.txt

Upstream patch
==============
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c
Comment 1 Adam Mariš 2016-11-08 05:34:33 EST 
Acknowledgments:

Name: Patrick Uiterwijk (Red Hat), Howard Johnson
Comment 2 Adam Mariš 2016-11-08 07:34 EST 
Created attachment 1218514 [details]
Upstream patch
Comment 8 Cedric Buissart 2016-11-21 05:09:19 EST 
Created ipsilon tracking bugs for this issue:

Affects: fedora-all [bug 1396973]
Comment 9 errata-xmlrpc 2016-11-21 06:22:32 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2809 https://rhn.redhat.com/errata/RHSA-2016-2809.html
Comment 10 Pedro Sampaio 2017-12-18 08:21:04 EST 
*** Bug 1526610 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.