From ff44d305b15485580ed3847e2a8747caeb76de19 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Fri, 13 Sep 2024 09:05:04 -0400
Subject: [PATCH] GHSA SYNC: 1 brand new advisory

---
 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml

diff --git a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
new file mode 100644
index 0000000000..5cc87b0cc6
--- /dev/null
+++ b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
@@ -0,0 +1,25 @@
+---
+gem: omniauth-saml
+ghsa: cvp8-5r8g-fhvq
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
+date: 2024-09-11
+description: |
+  ruby-saml, the dependent SAML gem of omniauth-saml has a signature
+  wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see
+  https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+
+  As a result, omniauth-saml created a
+  [new release](https://github.com/omniauth/omniauth-saml/releases)
+  by upgrading ruby-saml to the patched versions v1.17.
+cvss_v3: 10.0
+patched_versions:
+  - ">= 2.1.1"
+related:
+  ghsa:
+    - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
+    - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+    - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq
+  url:
+    - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
+    - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29