Skip to content

Commit bfa5110

Browse files
pitbulkpitbulk
committed
Release 1.4.0
1 parent 3ed4e5c commit bfa5110

File tree

3 files changed

+16
-2
lines changed

3 files changed

+16
-2
lines changed

README.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,11 @@ This version supports Python3, There is a separate version that only support Pyt
1414

1515
#### Warning ####
1616

17-
Release 1.2.6 adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
17+
Update python-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
18+
19+
That version also change how calculate fingerprint method works, and will expect as input a formatted x509 certificate
20+
21+
Update python-saml3 to 1.2.6 that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
1822

1923
Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json)
2024

changelog.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,14 @@
11
# python3-saml changelog
2+
3+
### 1.4.0 (Feb 27, 2018)
4+
* Fix vulnerability [CVE-2017-11427](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427). Process text of nodes properly, ignoring comments
5+
* Improve how fingerprint is calcultated
6+
* Fix issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute
7+
* Fix signature position in the SP metadata
8+
* [#80](https://github.com/onelogin/python3-saml/pull/80) Preserve xmlns:xs namespace when signing and serializing responses
9+
* Redefine NSMAP constant
10+
* Updated Django demo (Django 1.11).
11+
212
### 1.3.0 (Sep 15, 2017)
313
* Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption.
414
* [#63](https://github.com/onelogin/python3-saml/pull/63) Be able to get at the auth object the last processed ID (response/assertion) and the last generated ID, as well as the NotOnOrAfter value of the valid SubjectConfirmationData in the processed SAMLResponse

setup.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99

1010
setup(
1111
name='python3-saml',
12-
version='1.3.0',
12+
version='1.4.0',
1313
description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
1414
classifiers=[
1515
'Development Status :: 5 - Production/Stable',

0 commit comments

Comments
 (0)