Skip to content

v0.11.0

Latest
Latest

Choose a tag to compare

View all tags
@russellhaering russellhaering released this 18 Mar 06:05
v0.11.0
636e7dd

What's Changed

Security

  • Reject unsigned SAML LogoutRequest when signature validation is enabled. Previously, ValidateEncodedLogoutRequestPOST silently accepted unsigned requests even when SkipSignatureValidation was false. (GHSA-pcgw-qcv5-h8ch)
  • Security hardening: CBC bounds check to prevent panics from crafted ciphertext, replaced panic() calls with error returns, and assertion signatures within a signed Response envelope are now verified when present (previously they were skipped entirely, which could allow XML wrapping attacks)

Other

  • Add oss-fuzz integration
  • Bump minimum Go version to 1.25
  • Update dependencies: goxmldsig v1.6.0, etree v1.6.0, testify v1.11.1
  • Bump all GitHub Actions to latest versions

Full Changelog: v0.10.0...v0.11.0

Assets 2
Loading