[security] Consider upgrading mellon for Bionic to be able to change signature method (sha1 is used by default)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libapache2-mod-auth-mellon (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
SHA1 is used as a SAML message signature method by default in lasso shipped with Bionic.
Mellon versions up to 0.13.1 (bionic) do not expose MellonSignature
As of 0.14.0 (Cosmic) MellonSignature
https:/
https:/
There is a discussion here https:/
Typically SAML messages are signed to avoid tampering by an intermediary (an HTTP client) while the transport of signed SAML messages is usually done over HTTPS.
Some identity providers started converting to using SHA256 by default, for example, contemporary versions of ADFS use SHA256 and we already ran into this in the field as we have to explicitly tell IdP operators to configure SHA1 to be accepted.
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Dmitrii Shcherbakov (dmitriis) wrote | #2 |
| information type: | Private Security → Public Security |
| Changed in libapache2-mod-auth-mellon (Ubuntu): | |
| status: | New → Confirmed |
Can I make this bug public?
Switching the default algorithm in a stable release may not be an acceptable change. But, adding the code to be able to configure which algorithm to use seems acceptable to me.