auth_saml2 plugin critical security update

auth_saml2 plugin critical security update

by Dan Marsden -
Number of replies: 2
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Just a friendly heads up for those that haven't seen it - simplesamlphp released a critical security update yesterday which we applied to the auth_saml2 plugin (update in the moodle.org plugins db too.) - all sites using auth_saml2 should update to the latest version asap.

Some more detail/reading for those interested:
https://simplesamlphp.org/security/201911-01
https://www.hackmanit.de/en/blog/82-xml-signature-validation-bypass-in-simplesamlphp-and-xmlseclibs

the actual patch in XMLSeclibs: 
https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5 

Average of ratings: Useful (1)
In reply to Dan Marsden

Re: auth_saml2 plugin critical security update

by Dallas Ray Smetter -
I saw the update and chose it for my dev site... when I upload the plugin zip file, it hangs at admin/tool/installaddon/index.php?installzipcomponent=auth_saml2&installzipstorage=57c4c953-92c4-4c37-9abe-c3835fadaac1&sesskey=fqM5rzze4l on a white screen that only gives the message "Install plugin from ZIP file
Validating auth_saml2 ... " and it never completes. I'm using 3.8, perhaps I'm missing something? I could've swore I have installed this plugin in the past, and loved it. Any help will be greatly appreciated!
Average of ratings: -
In reply to Dallas Ray Smetter

Re: auth_saml2 plugin critical security update

by Ken Task -
Picture of Particularly helpful Moodlers

Sounds like ownerships/permissions issue ... however, plan B?

Is the plugin this one?

https://github.com/catalyst/moodle-auth_saml2

Moodle 3.5 to 3.8 master 7.0+ v1.17.7

Install instructions using git on page above.

Or use manual from CLI ... if manual ...

when you unzip the zip it creates a directory called moodle-auth_saml2-master which I think should be renamed auth_saml2 ... after you hide the original directory ... mv auth_saml2 .auth_saml2

Then install via admin/cli/upgrade.php

'SoS', Ken

Average of ratings: -