Affected versions of this package are vulnerable to Signature Validation Bypass. It allows a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allows them to impersonate a user from that Identity Provider, aka a key confusion issue.
Created php-simplesamlphp-saml2 tracking bugs for this issue:
Affects: fedora-all [bug 1553358]
Affects: epel-all [bug 1553359]
All dependent bugs are closed. Please close.