CVE-2025-27773 - Create a new Release to force the SAML2 library update

Created on 14 March 2025, about 1 month ago

Problem/Motivation

This was discussed in https://security.drupal.org/node/182873. The decision was to manage the issue publicly in a non-security release to address CVE-2025-27773.

https://nvd.nist.gov/vuln/detail/CVE-2025-27773
https://feedly.com/cve/CVE-2025-27773

Anyone manually running `composer audit` or using a tool/service that checks that would be aware of security update in 3 levels into their project (project->simplesamlphp_auth->simplesaml->saml2) and would apply the update with `composer update` unless there was some other dependency requiring < 2.3.7 or simplesamlphp/simplesamlphp was pinned at 2.3.5 for some reason.

Proposed resolution

Update https://git.drupalcode.org/project/simplesamlphp_auth/-/blob/4.x/compose... to require ^2.3.5

Remaining tasks

Merge and roll release with info about CVE-2025-27773 in the release notes.

🌱 Plan

Status

Active

Version

4.0

Component

Code

Created by

🇺🇸United States kreynen

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @kreynen

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024