CVE-2017-1000246

Published: 17 November 2017

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

Priority

Negligible

CVSS 3 base score: 5.3

Status

Package Release Status
python-pysaml2
Launchpad, Ubuntu, Debian
Upstream
Released (4.5.0-f)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(4.5.0+dfsg1-0ubuntu2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(4.5.0+dfsg1-0ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(4.5.0+dfsg1-0ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
tyhicks
The discussion in the GitHub issue explains why this isn't currently
an issue but could be in the future if new cipher modes are used.

References

Bugs