Release 1.18.0

Author: pitbulk

CHANGELOG.md

@@ -1,9 +1,10 @@
 # Ruby SAML Changelog
 
-### 1.18.0  (???)
+### 1.18.0  (Mar 12, 2025)
 * [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
 * [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
 * [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
+* [750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
 
 ### 1.17.0  (Sep 10, 2024)
 * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector

README.md

@@ -7,7 +7,34 @@
 Minor and patch versions of Ruby SAML may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
-There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409). Make sure you are using an updated version. (1.12.3 is safe)
+### Pay it Forward: Support RubySAML and Strengthen Open-Source Security
+
+RubySAML is a trusted authentication library used by startups and enterprises alike.
+
+But security doesn't happen in a vacuum. Vulnerabilities in authentication libraries can
+have widespread consequences. Maintaining open-source security requires continuous
+effort, expertise, and funding. By supporting RubySAML, you’re not just securing your
+own systems—you’re strengthening auth security globally.
+
+#### How you can help
+
+* Sponsor RubySAML: [GitHub Sponsors](https://github.com/sponsors/SAML-Toolkits)
+* Contribute to secure-by-design improvements
+* Responsibly report vulnerabilities (see "Vulnerability Reporting" above)
+
+Security is a shared responsibility. If RubySAML has helped your organization, please
+consider giving back. Together, we can keep authentication secure.
+
+### Sponsors
+
+Thanks to the following sponsors for securing the open source ecosystem,
+
+[<img alt="84codes" src="https://avatars.githubusercontent.com/u/5353257" width="75px">](https://www.84codes.com)
+
+
+## Vulnerabilities
+
+There are critical vulnerabilities affecting ruby-saml < 1.18.0, two of them allows SAML authentication bypass (CVE-2025-25291, CVE-2025-25292, CVE-2025-25293). Please upgrade to a fixed version (1.18.0)
 
 ## Overview
 
@@ -61,12 +88,6 @@ But there are other scenarios, like a SaaS app where the administrator of the ap
 delegates this functionality to other users. In this case, extra precautions should
 be taken in order to validate such URL inputs and avoid attacks like SSRF.
 
-### Sponsors
-
-Thanks to the following sponsors for their support:
-
-[<img alt="84codes" src="https://avatars.githubusercontent.com/u/5353257" width="50px">](https://www.84codes.com)
-
 ## Getting Started
 
 In order to use Ruby SAML you will need to install the gem (either manually or using Bundler),

UPGRADING.md

@@ -1,5 +1,14 @@
 # Ruby SAML Migration Guide
 
+## Updating from 1.17.x to 1.18.0
+
+Version `1.18.0` changes the way the toolkit validates SAML signatures. There is a new order
+how validation happens in the toolkit and also the toolkit by default will check malformed doc
+when parsing a SAML Message (`settings.check_malformed_doc`).
+
+The SignedDocument class defined at xml_security.rb experienced several changes.
+We don't expect compatibilty issues if you use the main methods offered by ruby-saml, but if you use a fork or customized usage, is possible that you need to adapt your code.
+
 ## Updating from 1.12.x to 1.13.0
 
 Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and

lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.17.0'
+    VERSION = '1.18.0'
   end
 end