Security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories this morning detailing a new SAML vulnerability. CERT/CC reached out to OneLogin in advance of this publication in order for us to address the impacted OneLogin toolkits / libraries, specifically CVE-2017-11427 and CVE-2017-11428.
Once the security advisories were published, we were then allowed to publish our patches located here:
- ruby-saml https://github.com/onelogin/ruby-saml/releases/tag/v1.7.0
- python-saml https://github.com/onelogin/python-saml/releases/tag/v2.4.0
- python3-saml https://github.com/onelogin/python3-saml/releases/tag/v1.4.0
We are also reaching out to entities that use these toolkits individually. Please note that there is no action required for users of the OneLogin platform itself; the required action is for developers that maintain apps that depend on any of the toolkits above to use the provided patched versions.