security.md

IdPy projects, particularly the IdPy libraries (pySAML2, pyXMLSecurity,pyeleven, oidcendpoint, and JWT-Connect-Python), are used by services aroundthe world. IdPy has asecurity incident handling processthat applies to all IdPy projects. Security vulnerabilities reported for anIdPy project are handled as responsibly and publicly as possible, followingGitHub’s guidance on managing these types of vulnerabilities.

• How can I report a security vulnerability?

  Anyone can submit a potential security vulnerability toincident-response@idpy.org. The incident-response team will verify theissue and contact you on how this will be handled.

• Are CVEs created for each security vulnerability?

  Yes. Each vulnerability that is reported and verified is assigned a CVEidentifier. This is part of the incident-response handling process that IdPyfollows. Security advisories are managed through GitHub and use GitHub as theCVE Numbering Authority (CNA). Further information on how security advisoriesare managed through GitHub can be found at “About GitHub’s SecurityAdvisories”.

• How is the community notified of vulnerabilities and associated patches?

  IdPy has multiple communication channels; theIdPy mailing list,theIdPy slack workspace (invitation) andproject-specific mailing lists.

  When a new vulnerability is reported and verified, a new security advisory iscreated on GitHub and the issue is assigned a CVE identifier. Progress on themitigation is tracked on a private fork, where the incident-response team anddevelopers communicate to fix the issue.

  When the fix is ready, a release plan is prepared and all communicationchannels are used to notify the community of the presence of a new issue andthe expected release plan. This allows the community time to prepare for asecurity upgrade. (Notice that security fixes are not backported at themoment.)

  When the advisory is published, GitHub automatically notifies all associatedprojects of the published advisory. Projects that use IdPy projects asdependencies should automatically get Pull Requests by dependabot.Additionally, all communication channels are used again, to notify thecommunity of the release of a new version of the affected software thatcontains the relevant fixes that mitigate the reported issue.

• Is there a mailing list I can join to receive security announcements?

  At this moment, there is no separate list with security announcements. Weannounce new and upcoming releases on the idpy-discuss mailing list and therelevant project lists. These lists have more traffic than just release orsecurity announcements.

  As another option, one can subscribe to notifications about new releasesusing the “watch” mechanism provided by GitHub. When a new release is out, itis tagged and uploaded both on pypi and GitHub. You can find informationabout subscribing to releases on the GitHub documentation section“Configuring your watch settings for an individualrepository”.

• What is the best approach to mitigate an issue?

  Upgrade to the latest version. At this point, IdentityPython does not havethe resources required to provide backports of security issues or otherfixes. We urge the community to try to keep up with the latest version. Theorganization advocates FOSS and is open to new collaborators. Since,everything is open, users are free to backport patches on their own.

• CVE-2021-21239 - PySAML2: Unspecified xmlsec1 key-type preference
• CVE-2021-21238 - PySAML2: Processing of invalid SAML XML documents
• CVE-2020-5390 - PySAML2: Improper Verification of Cryptographic Signature
• CVE-2017-1000246 - PySAML2: Always generate a random IV for AES operations

There aren’t any published security advisories