IMPORTANT: All users must upgrade to ruby-saml 1.18.0 ASAP

[pitbulk]

It fixes several vulnerabilities:

Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential.

Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.

[johnnyshields]

Please rename the title to "IMPORTANT: All users must upgrade to ruby-saml 1.18.0 ASAP"

[dentarg]

More in the write-up by GitHub at https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

[johnnyshields]

FYI -- active work is underway (by me) to eliminate the dual parsers.

[johnnyshields]

Just a note, the PR to dual parsers #759 was just upstreamed as should be released as RubySaml 2.0.0 soon.