PySAML2: Security bypass A vulnerability in PySAML2 might allow remote attackers to bypass authentication. PySAML2 2018-01-11 2018-01-12 644016 remote 4.0.2-r3 4.5.0 4.0.2-r3 4.5.0

PySAML2 is a pure python implementation of SAML2

It was found that the PySAML2 relies on an assert statement to check the user’s password. A python optimizations might remove this assertion.

A remote attacker could bypass security restrictions and access any application which is using PySAML2 for authentication.

Disable python optimizations.

All PySAML2 4.0 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pysaml2-4.0.2-r3"

All PySAML2 4.5 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pysaml2-4.5.0" CVE-2017-1000433 whissi whissi