python/python-pysaml2
SHA256
14
0
Fork 0
forked from pool/python-pysaml2
Code Pull Requests Activity

Accepting request 865074 from home:stroeder:branches:devel:languages:python

Browse Source 
- Update to 6.5.0 - Security release
  * Fix processing of invalid SAML XML documents - CVE-2021-21238
  * Fix unspecified xmlsec1 key-type preference - CVE-2021-21239
  * Add more tests regarding XSW attacks
  * Add XML Schemas for SAML2 and common extensions
  * Fix the XML parser to not break on ePTID AttributeValues
  * Fix the initialization value of the return_addrs property of the StatusResponse object
  * Fix SWAMID entity-category policy regarding eduPersonTargetedID
  * data: use importlib to load package data (backwards compatibility through the importlib_resources package)
  * docs: improve the documentation for the signing_algorithm and digest_algorithm options
  * examples: fix the logging configuration of the example-IdP
  * tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
  * tests: improvements on the generation of response and assertion objects
  * tests: expand tests on python-3.9 and python-3.10-dev
- added new build dependencies:
  * python3-importlib-resources
  * python3-xmlschema
  * update-alternatives
- removed obsolete avoid-too-large-dates.patch
- replaced %python3_alternative by %python_alternative

OBS-URL: https://build.opensuse.org/request/show/865074
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pysaml2?expand=0&rev=52
This commit is contained in:
Matej Cepl
2021-01-20 21:32:16 +00:00
committed by Git OBS Bridge
parent 687446e293
commit cf9121fe6f
5 changed files with 35 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
avoid-too-large-dates.patch
View File

@@ -1,105 +0,0 @@
--- a/tests/InCommon-metadata.xml
+++ b/tests/InCommon-metadata.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="INC20140204T195141" Name="urn:mace:incommon" validUntil="2999-02-18T10:00:00Z" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="INC20140204T195141" Name="urn:mace:incommon" validUntil="2036-02-18T10:00:00Z" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
--- a/tests/attribute_response.xml
+++ b/tests/attribute_response.xml
@@ -32,13 +32,13 @@
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.1.1"
InResponseTo="id-f4d370f3d03650f3ec0da694e2348bfe"
- NotOnOrAfter="2999-09-14T21:06:32.081Z"
+ NotOnOrAfter="2036-09-14T21:06:32.081Z"
Recipient="https://myreviewroom.com/saml2/acs/"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2014-09-14T21:01:32.081Z"
- NotOnOrAfter="2999-09-14T21:06:32.081Z"
+ NotOnOrAfter="2036-09-14T21:06:32.081Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:mace:example.com:saml:roland:sp
--- a/tests/idp_example.xml
+++ b/tests/idp_example.xml
@@ -2,7 +2,7 @@
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
entityID="http://localhost:8088/idp.xml"
- validUntil="2014-04-12T06:06:13Z">
+ validUntil="2036-04-12T06:06:13Z">
<ns0:IDPSSODescriptor WantAuthnRequestsOnlyWithValidCert="false"
WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
--- a/tests/metadata.aaitest.xml
+++ b/tests/metadata.aaitest.xml
@@ -7,7 +7,7 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="AAITest-20140205105921"
Name="urn:mace:switch.ch:aaitest"
- validUntil="2999-02-10T09:59:21Z"
+ validUntil="2036-02-10T09:59:21Z"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
--- a/tests/metadata.xml
+++ b/tests/metadata.xml
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntitiesDescriptor name="urn:mace:example.com:saml:test"
- validUntil="2999-12-04T17:31:07Z"
+ validUntil="2036-12-04T17:31:07Z"
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata">
<ns0:EntityDescriptor entityID="urn:mace:example.com:saml:roland:sp">
<ns0:SPSSODescriptor AuthnRequestsSigned="False" WantAssertionsSigned="True"
--- a/tests/metasp.xml
+++ b/tests/metasp.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<ns0:EntitiesDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" name="urn:mace:umu.se:saml:test" validUntil="2010-12-01T09:22:16Z">
+<ns0:EntitiesDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" name="urn:mace:umu.se:saml:test" validUntil="2036-12-01T09:22:16Z">
<ns0:EntityDescriptor entityID="urn:mace:umu.se:saml:roland:sp">
<ns0:SPSSODescriptor AuthnRequestsSigned="False" WantAssertionsSigned="True" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:KeyDescriptor>
--- a/tests/remote_data/InCommon-metadata-export.xml
+++ b/tests/remote_data/InCommon-metadata-export.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_20191126T193752" validUntil="3001-01-01T00:00:00Z">
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_20191126T193752" validUntil="2036-01-01T00:00:00Z">
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
<mdrpi:PublicationInfo creationInstant="2019-11-26T19:37:52Z" publisher="https://incommon.org"/>
</md:Extensions>
--- a/tests/swamid-2.0.xml
+++ b/tests/swamid-2.0.xml
@@ -4,7 +4,7 @@
This file was automatically generated - do not edit
-->
-<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" Name="http://md.swamid.se/md/swamid-2.0.xml" cacheDuration="PT8H" validUntil="2999-12-13T10:05:05Z"><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>wdokYz5tEa8aCh+fEPqytS/y9W8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Wsr/+VrII3wK5rAzQKmjSzflCIuIhQboSc6sIxQwWw3toALPfY5fBl1XHPKGFXxY
+<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" Name="http://md.swamid.se/md/swamid-2.0.xml" cacheDuration="PT8H" validUntil="2036-12-13T10:05:05Z"><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>wdokYz5tEa8aCh+fEPqytS/y9W8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Wsr/+VrII3wK5rAzQKmjSzflCIuIhQboSc6sIxQwWw3toALPfY5fBl1XHPKGFXxY
t6W7MxPjU1FKh4PdISeTgqYUwvrX2YDE7HxoYAZR5n5cZlogBZIR3dUwXAcJ75pX
tDUHpoqNyEJgoaeTiFhNBrfwGPlWNb0RstfM+iMIpdNTlSFHvuHMxkJSEunjzbcj
7OU8KcYSlosw4wqdI/G50aQAjSJf+M1wARHtbPvH9ULeks5AUhKyJYztrPJc1UJL
--- a/tests/vo_metadata.xml
+++ b/tests/vo_metadata.xml
@@ -1,11 +1,11 @@
<?xml version='1.0' encoding='UTF-8'?>
-<ns0:EntitiesDescriptor
- name="urn:mace:example.com:votest"
- validUntil="2999-11-28T09:10:09Z"
+<ns0:EntitiesDescriptor
+ name="urn:mace:example.com:votest"
+ validUntil="2036-11-28T09:10:09Z"
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata">
- <ns0:EntityDescriptor
+ <ns0:EntityDescriptor
entityID="urn:mace:example.com:it:tek">
- <ns0:AffiliationDescriptor
+ <ns0:AffiliationDescriptor
affiliationOwnerID="http://vo.example.org/vo">
<ns0:AffiliateMember>
urn:mace:example.com:saml:aa

24
python-pysaml2.changes
View File

@@ -1,3 +1,27 @@
-------------------------------------------------------------------
Wed Jan 20 20:12:26 UTC 2021 - Michael Ströder <michael@stroeder.com>
- Update to 6.5.0 - Security release
* Fix processing of invalid SAML XML documents - CVE-2021-21238
* Fix unspecified xmlsec1 key-type preference - CVE-2021-21239
* Add more tests regarding XSW attacks
* Add XML Schemas for SAML2 and common extensions
* Fix the XML parser to not break on ePTID AttributeValues
* Fix the initialization value of the return_addrs property of the StatusResponse object
* Fix SWAMID entity-category policy regarding eduPersonTargetedID
* data: use importlib to load package data (backwards compatibility through the importlib_resources package)
* docs: improve the documentation for the signing_algorithm and digest_algorithm options
* examples: fix the logging configuration of the example-IdP
* tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
* tests: improvements on the generation of response and assertion objects
* tests: expand tests on python-3.9 and python-3.10-dev
- added new build dependencies:
* python3-importlib-resources
* python3-xmlschema
* update-alternatives
- removed obsolete avoid-too-large-dates.patch
- replaced %python3_alternative by %python_alternative
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 6 10:49:48 UTC 2021 - Matej Cepl <mcepl@suse.com> Wed Jan 6 10:49:48 UTC 2021 - Matej Cepl <mcepl@suse.com>

17
python-pysaml2.spec
View File

@@ -20,19 +20,17 @@
%global modname pysaml2 %global modname pysaml2
%global skip_python2 1 %global skip_python2 1
Name: python-pysaml2 Name: python-pysaml2
Version: 6.3.1 Version: 6.5.0
Release: 0 Release: 0
Summary: Python implementation of SAML Version 2 to be used in a WSGI environment Summary: Python implementation of SAML Version 2 to be used in a WSGI environment
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/IdentityPython/pysaml2 URL: https://github.com/IdentityPython/pysaml2
Source: https://github.com/IdentityPython/pysaml2/archive/v%{version}.tar.gz Source: https://github.com/IdentityPython/pysaml2/archive/v%{version}.tar.gz
# PATCH-FIX-UPSTREAM avoid-too-large-dates.patch gh#IdentityPython/pysaml2#759 mcepl@suse.com
# avoid Y38K bug on 32bit machines.
Patch0: avoid-too-large-dates.patch
BuildRequires: %{python_module Paste} BuildRequires: %{python_module Paste}
BuildRequires: %{python_module cryptography >= 1.4} BuildRequires: %{python_module cryptography >= 1.4}
BuildRequires: %{python_module dbm} BuildRequires: %{python_module dbm}
BuildRequires: %{python_module defusedxml} BuildRequires: %{python_module defusedxml}
BuildRequires: %{python_module importlib-resources}
BuildRequires: %{python_module mock} BuildRequires: %{python_module mock}
BuildRequires: %{python_module pyOpenSSL} BuildRequires: %{python_module pyOpenSSL}
BuildRequires: %{python_module pymongo} BuildRequires: %{python_module pymongo}
@@ -44,8 +42,10 @@ BuildRequires: %{python_module requests >= 1.0.0}
BuildRequires: %{python_module responses} BuildRequires: %{python_module responses}
BuildRequires: %{python_module setuptools} BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module six} BuildRequires: %{python_module six}
BuildRequires: %{python_module xmlschema}
BuildRequires: %{python_module zope.interface} BuildRequires: %{python_module zope.interface}
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: update-alternatives
# This is needed as xmlsec itself does not pull any backend by default # This is needed as xmlsec itself does not pull any backend by default
# Will be fixed in future xmlsec releases # Will be fixed in future xmlsec releases
BuildRequires: libxmlsec1-openssl1 BuildRequires: libxmlsec1-openssl1
@@ -75,7 +75,6 @@ SAML2 service provider or an identity provider.
%prep %prep
%setup -q -n %{modname}-%{version} %setup -q -n %{modname}-%{version}
%ifarch %{ix86} %ifarch %{ix86}
%patch0 -p1
%endif %endif
# delete shebang of files not in executable path # delete shebang of files not in executable path
@@ -110,10 +109,10 @@ done
%files %{python_files} %files %{python_files}
%license LICENSE %license LICENSE
%doc README.rst CHANGELOG.md %doc README.rst CHANGELOG.md
%python3_alternative %{_bindir}/make_metadata.py %python_alternative %{_bindir}/make_metadata.py
%python3_alternative %{_bindir}/parse_xsd2.py %python_alternative %{_bindir}/parse_xsd2.py
%python3_alternative %{_bindir}/mdexport.py %python_alternative %{_bindir}/mdexport.py
%python3_alternative %{_bindir}/merge_metadata.py %python_alternative %{_bindir}/merge_metadata.py
%{python_sitelib}/* %{python_sitelib}/*
%changelog %changelog

3
v6.3.1.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:54a5ec11da37abde1792207412a83e7f1da817179ffe864e35014dcdfdf2227d
size 5959873

3
v6.5.0.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:97ed9307a870e4591472e021cf54cb9507010a3acca93cd36fe1ef4b2438fb50
size 5991803