Skip to content

Commit

Permalink
Release 2.4.0
Browse files Browse the repository at this point in the history
  • Loading branch information
pitbulk committed Feb 27, 2018
1 parent 826f4f5 commit 27bce00
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ Python3: [python3-saml](https://github.com/onelogin/python3-saml).

#### Warning ####

Update python-saml to 2.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.

That version also change how calculate fingerprint method works, and will expect as input a formatted x509 certificate

Update python-saml to 2.2.3, this version replaces some etree.tostring calls, that were introduced recently, by the sanitized call provided by defusedxml

Update python-saml to 2.2.0, this version includes a security patch that contains extra validations that will prevent signature wrapping attacks. [CVE-2016-1000252](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000252/CVE-2016-1000252.json)
Expand Down
8 changes: 8 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# python-saml changelog
### 2.4.0 (Feb 27, 2018)
* Fix vulnerability [CVE-2017-11427](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427). Process text of nodes properly, ignoring comments
* Improve how fingerprint is calcultated
* Fix issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute
* Be able to invalidate a SAMLResponse if it contains InResponseTo value but no RequestId parameter provided at the is_valid method. See rejectUnsolicitedResponsesWithInResponseTo security parameter (By default deactivated)
* Fix signature position in the SP metadata
* Redefine NSMAP constant

### 2.3.0 (Sep 15, 2017)
* [#205](https://github.com/onelogin/python-saml/pull/205) Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption.
* [#204](https://github.com/onelogin/python-saml/pull/204) On a LogoutRequest if the NameIdFormat is entity, NameQualifier and SPNameQualifier will be ommited. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added.
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

setup(
name='python-saml',
version='2.3.0',
version='2.4.0',
description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
classifiers=[
'Development Status :: 5 - Production/Stable',
Expand Down

0 comments on commit 27bce00

Please sign in to comment.