Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backport recommended patch to DOMDocumentFactory.php #854

Open
wants to merge 1 commit into
base: MOODLE_39_STABLE
Choose a base branch
from

Conversation

dasistwas
Copy link

Implement recommended fix from https://simplesamlphp.org/security/202412-01

@danmarsden
Copy link
Member

nice work tracing that one - I'll see if someone can do some testing of this on some live sites before we merge it in.

let me know if you manage to roll it into any production sites and what IDPs you test it with!

@dasistwas
Copy link
Author

The patch is used there:

https://musi.uni-graz.at/login/index.php

Login still works. But I am not totally sure what kind of identity provider is used there.

And here:

https://intern.diehauswirtschaft.at/

This is SSO using Keycloak and Login also works using the fix.

@dasistwas dasistwas force-pushed the MOODLE_39_STABLE branch 2 times, most recently from b95a83e to 3bae74e Compare December 13, 2024 11:27
@luukverhoeven
Copy link

@dasistwas @danmarsden Maybe better to update everything to 2.3.5 this only includes the security patch?

@danmarsden danmarsden changed the title Fix XXE in parsing SAML messages backport recommended patch to DOMDocumentFactory.php Dec 15, 2024
@danmarsden
Copy link
Member

@luukverhoeven we can't update older branches to 2.3.5 as they do not support PHP 7.4 (and we need to keep that for 4.1 support.)

This appears harmless enough so I'm happy to merge, but note that the actual vulnerability reported is related to xml-common which in the newer version of Simplesamlphp is used for parsing XML data. In the older version of simplesaml on this branch, standard PHP apis are used (I think.)

@jay-oswald
Copy link
Contributor

@luukverhoeven The 404 branch supports Moodle 4.4+, we have #853 thats just getting tested now and will be merged soon, which bumps simplesamlphp to 2.3.5 to include the patch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants