| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Fix-signature-checking-on-unsigned-response-with-mul.patch | Fix signature checking on unsigned response with multiple assertions CVE-2021-28091 : when AuthnResponse messages are not signed (which is permitted by the specifiation), all assertion's signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one is considered the main assertion. This patch : * check signatures from all assertions if the message is not signed, * refuse messages with assertion from different issuers than the one on the message, to prevent assertion bundling event if they are signed. |
Benjamin Dauvergne <bdauvergne@entrouvert.com> | no | 2021-03-08 |