Skip to content

[SITE-4575] Update SimpleSAMLphp security requirements to 2.3.7.#402

Merged
pwtyler merged 203 commits intodevelopfrom
cve-2025-27773
Jun 6, 2025
Merged

[SITE-4575] Update SimpleSAMLphp security requirements to 2.3.7.#402
pwtyler merged 203 commits intodevelopfrom
cve-2025-27773

Conversation

@jazzsequence
Copy link
Contributor

@jazzsequence jazzsequence commented May 9, 2025
edited
Loading

Description

This PR updates the SimpleSAMLphp security requirements to recommend version 2.3.7 as the minimum secure version, while maintaining 2.0.0 as the critical security threshold for CVE-2023-26881 (GHSA-46r4-f8gj-xg56).

Changes

  • Added new configuration option min_simplesamlphp_version set to '2.3.7'
  • Enhanced version checking to differentiate between critical vulnerabilities (< 2.0.0) and recommended updates (< 2.3.7)
  • Updated admin notices to show different severity levels based on version:
    • Critical error for versions < 2.0.0 (vulnerable to CVE-2023-26881)
    • Warning for versions between 2.0.0 and 2.3.7 (secure against critical vulnerability but missing additional security fixes)
    • Warning for unknown versions.
  • Only block authentication for critically vulnerable versions (< 2.0.0) (optional, defaults to not blocking auth)
  • Added more detailed security information to the settings page
  • Updated documentation to reflect new version requirements
  • Bumps OneLogin SAML dependency version
  • Adds pantheon-systems/wpunit-helpers package for WP Unit Tests (rather than copy pasta method)
  • Bumps pantheon-systems/pantheon-wordpress-upstream-tests to latest
  • Adds shellcheck to linting checks

Filters added

  • wp_saml_auth_simplesamlphp_path_array - allows users to define/change the path to their installation of SimpleSAMLphp.
  • wp_saml_auth_ssp_autoloader - allows users to define a path to the SimpleSAMLphp autoloader file (if different from the default)

Security Context

  • SimpleSAMLphp 2.0.0 was the first version to include the patched OpenSAML library (>= 3.2.1) that fixed the XML signature validation bypass vulnerability (CVE-2023-26881)
  • SimpleSAMLphp 2.3.7 includes additional security fixes beyond the critical vulnerability

Testing

  • Tests have been updated to run Behat tests with the following SimpleSAMLphp versions:
    • 1.18.0 (shows critical warning, allows authentication)
    • 2.0.0 (shows recommendation warning, allows authentication)
    • 2.4.0 (no warnings, allows authentication)
  • Cleanup is run after all three behat tests pass and deletes the multidev created for those specific test runs as well as the 10 oldest test sites

(reopened from #401)

@jazzsequence jazzsequence requested a review from a team as a code owner May 9, 2025 21:53
@github-actions
Copy link

github-actions bot commented May 9, 2025
edited
Loading

Composer Changes
Prod Packages Operation Base Target
onelogin/php-saml Upgraded 4.1.0 4.2.0
robrichards/xmlseclibs Upgraded 3.1.1 3.1.3
Dev Packages Operation Base Target
behat/behat Upgraded v3.13.0 v3.14.0
behat/mink Upgraded v1.10.0 v1.12.0
myclabs/deep-copy Upgraded 1.12.0 1.13.1
nikic/php-parser Upgraded v5.1.0 v5.4.0
pantheon-systems/pantheon-wordpress-upstream-tests Changed dev-master 004fc97 dev-master 1fa393d
pantheon-systems/wpunit-helpers New - v2.0.2
phpcompatibility/phpcompatibility-wp Upgraded 2.1.5 2.1.7
phpcsstandards/phpcsextra Upgraded 1.2.1 1.3.0
phpstan/phpdoc-parser Upgraded 1.30.1 1.33.0
phpunit/phpunit Upgraded 9.6.20 9.6.23
sirbrillig/phpcs-variable-analysis Upgraded v2.11.19 v2.12.0
spryker/code-sniffer Upgraded 0.17.24 0.17.28
squizlabs/php_codesniffer Upgraded 3.10.1 3.13.0
symfony/console Upgraded v5.4.31 v5.4.47
symfony/css-selector Upgraded v5.4.26 v5.4.45
symfony/deprecation-contracts Upgraded v3.4.0 v3.5.1
symfony/event-dispatcher Upgraded v5.4.26 v5.4.45
symfony/event-dispatcher-contracts Upgraded v3.4.0 v3.5.1
symfony/filesystem Upgraded v5.4.41 v5.4.45
symfony/polyfill-ctype Upgraded v1.31.0 v1.32.0
symfony/polyfill-intl-grapheme Upgraded v1.28.0 v1.32.0
symfony/polyfill-intl-idn Upgraded v1.28.0 v1.32.0
symfony/polyfill-intl-normalizer Upgraded v1.28.0 v1.32.0
symfony/polyfill-mbstring Upgraded v1.30.0 v1.32.0
symfony/polyfill-php73 Upgraded v1.28.0 v1.32.0
symfony/polyfill-php80 Upgraded v1.30.0 v1.32.0
symfony/polyfill-php81 Upgraded v1.28.0 v1.32.0
symfony/service-contracts Upgraded v2.5.3 v2.5.4
symfony/string Upgraded v6.3.8 v6.4.21
symfony/translation-contracts Upgraded v2.5.3 v2.5.4
symfony/yaml Upgraded v6.3.8 v6.4.21
yoast/phpunit-polyfills Upgraded 3.0.0 3.1.2
symfony/polyfill-php72 Removed v1.28.0 -

@jazzsequence jazzsequence mentioned this pull request May 9, 2025
Closed
jazzsequence
jazzsequence commented May 28, 2025
View reviewed changes
.gitignore
Comment on lines +7 to +12
# PHPUnit Helpers
bin/helpers.sh
bin/install-wp-tests.sh
bin/install-local-tests.sh
bin/phpunit-test.sh
.phpunit*
Copy link
Contributor Author

@jazzsequence jazzsequence May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These ignores come from adding wpunit-helpers as a dependency.

jazzsequence
jazzsequence commented May 29, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented May 30, 2025

Hi from your friendly robot! 🤖 I fixed PHPCS issues with phpcbf on 47bcecf. Please review the changes.

@pwtyler pwtyler merged commit 89a3d5e into develop Jun 6, 2025
19 checks passed
@pwtyler pwtyler deleted the cve-2025-27773 branch June 6, 2025 19:56
This was referenced Jun 6, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pwtyler pwtyler pwtyler approved these changes

Assignees

@jazzsequence jazzsequence

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jazzsequence @pwtyler @lcatlett