From 1bc447f297b769d1a9abeb619ce074bd9c410a72 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 10 Sep 2024 19:15:42 +0200 Subject: [PATCH] Release 1.17.0 --- CHANGELOG.md | 6 +++++- README.md | 2 ++ lib/onelogin/ruby-saml/version.rb | 2 +- lib/xml_security.rb | 3 ++- 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6acaa0de..e1f49999 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Ruby SAML Changelog -### 1.17.0 +### 1.17.0 (Sep 10, 2024) +* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows. * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation. * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter. @@ -39,6 +40,9 @@ * Add warning about the use of IdpMetadataParser class and SSRF * CI: Migrate from Travis to Github Actions +### 1.12.3 (Sep 10, 2024) +* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector + ### 1.12.2 (Apr 08, 2021) * [#575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest diff --git a/README.md b/README.md index 0a855cff..7a245b2c 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ Ruby SAML minor and tiny versions may introduce breaking changes. Please read [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions. +There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409). Make sure you are using an updated version. (1.12.3 is safe) + ## Overview The Ruby SAML library is for implementing the client side of a SAML authorization, diff --git a/lib/onelogin/ruby-saml/version.rb b/lib/onelogin/ruby-saml/version.rb index 0f2da263..4c26fcbc 100644 --- a/lib/onelogin/ruby-saml/version.rb +++ b/lib/onelogin/ruby-saml/version.rb @@ -1,5 +1,5 @@ module OneLogin module RubySaml - VERSION = '1.16.0' + VERSION = '1.17.0' end end diff --git a/lib/xml_security.rb b/lib/xml_security.rb index f731d464..0db0623b 100644 --- a/lib/xml_security.rb +++ b/lib/xml_security.rb @@ -316,6 +316,7 @@ def validate_signature(base64_cert, soft = true) "./ds:SignedInfo", { "ds" => DSIG } ) + # get inclusive namespaces inclusive_namespaces = extract_inclusive_namespaces @@ -325,7 +326,7 @@ def validate_signature(base64_cert, soft = true) reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id }) if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack. - return append_error("Digest Mismatch", soft) + return append_error("Digest mismatch. Duplicated ID found", soft) end hashed_element = reference_nodes[0]