[Idpy-board] Fwd: Press questions regarding the Pysaml2 vulnerability

Hello everyone, I just received the following email with questions on the recent vulnerabilities of pysaml2. The news site is https://www.bleepingcomputer.com/ Should we answer? and should we answer all questions?

Cheers, PS: for those of you did not see our new page on the website, have a look at the security section: https://idpy.org/security/ ---------- Forwarded message --------- From: Lawrence Abrams <labrams at bleepingcomputer.com> Date: Wed, 20 Jan 2021 at 22:22 Subject: Press questions regarding the Pysaml2 vulnerability To: <ivan.kanak at gmail.com>, <info at idpy.org> I am a security reporter for the technology news site BleepingComputer. In regards to your pysaml2 security advisory released today for vulnerabilities CVE-2021-21238 and CVE-2021-21239. 1. Is it known if these vulnerabilities have been exploited in the wild? If so, can you share how? 2. For CVE-2021-21238, would this allow an attacker to tamper a signed file as long as the original legitimate signature is the first keyvalue element? 3. For CVE-2021-21239, a signed document would be valid if the same type of key is present in the document? 4. In what ways do you see these vulnerabilities being exploited and are these critical enough that they should be updated immediately? 5. Finally, what other software/packages utilize pysaml2 ? Thank you Lawrence Abrams BleepingComputer.com -- Ivan c00kiemon5ter Kanakarakis >:3 _______________________________________________ Idpy-board mailing list Idpy-board at lists.sunet.se https://lists.sunet.se/listinfo/idpy-board