diff -Nru python-pysaml2-3.0.0/debian/changelog python-pysaml2-3.0.0/debian/changelog
--- python-pysaml2-3.0.0/debian/changelog	2020-02-20 07:45:47.000000000 +1100
+++ python-pysaml2-3.0.0/debian/changelog	2021-02-02 08:42:57.000000000 +1100
@@ -1,3 +1,11 @@
+python-pysaml2 (3.0.0-5+deb9u2) stretch-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Fix CVE-2021-21238 - SAML XML Signature wrapping.
+  * Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to on.
+
+ -- Brian May <bam@debian.org>  Tue, 02 Feb 2021 08:42:57 +1100
+
 python-pysaml2 (3.0.0-5+deb9u1) stretch-security; urgency=medium
 
   * CVE-2020-5390
diff -Nru python-pysaml2-3.0.0/debian/patches/CVE-2020-5390.patch python-pysaml2-3.0.0/debian/patches/CVE-2020-5390.patch
--- python-pysaml2-3.0.0/debian/patches/CVE-2020-5390.patch	2020-01-21 06:50:09.000000000 +1100
+++ python-pysaml2-3.0.0/debian/patches/CVE-2020-5390.patch	2021-02-01 09:03:25.000000000 +1100
@@ -126,63 +126,63 @@
          verified = False
          last_pem_file = None
          for _, pem_file in certs:
-#Index: python-pysaml2-3.0.0/tests/saml2_response_xsw.xml
-#===================================================================
-#--- /dev/null
-#+++ python-pysaml2-3.0.0/tests/saml2_response_xsw.xml
-#@@ -0,0 +1,6 @@
-#+<?xml version="1.0" encoding="UTF-8"?>
-#+<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
-#+<XSW_ATTACK>
-#+<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
-#+</XSW_ATTACK>
-#+</ns0:Response>
-#Index: python-pysaml2-3.0.0/tests/test_xsw.py
-#===================================================================
-#--- /dev/null
-#+++ python-pysaml2-3.0.0/tests/test_xsw.py
-#@@ -0,0 +1,44 @@
-#+from datetime import datetime
-#+from mock import Mock
-#+from mock import patch
-#+
-#+from saml2.config import config_factory
-#+from saml2.response import authn_response
-#+from saml2.sigver import SignatureError
-#+
-#+from dateutil import parser
-#+
-#+from pytest import raises
-#+
-#+from pathutils import dotname
-#+from pathutils import full_path
-#+
-#+
-#+XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
-#+
-#+
-#+class TestAuthnResponse:
-#+    def setup_class(self):
-#+        self.conf = config_factory("sp", dotname("server_conf"))
-#+        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
-#+
-#+    @patch('saml2.response.validate_on_or_after', return_value=True)
-#+    def test_verify_signed_xsw(self, mock_validate_on_or_after):
-#+        self.ar.issue_instant_ok = Mock(return_value=True)
-#+
-#+        with open(XML_RESPONSE_XSW) as fp:
-#+            xml_response = fp.read()
-#+
-#+        self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
-#+        self.ar.timeslack = 10000
-#+        self.ar.loads(xml_response, decode=False)
-#+
-#+        assert self.ar.came_from == 'http://localhost:8088/sso'
-#+        assert self.ar.session_id() == "id12"
-#+        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
-#+
-#+        with raises(SignatureError):
-#+            self.ar.verify()
-#+
-#+        assert self.ar.ava is None
-#+        assert self.ar.name_id is None
+Index: python-pysaml2-3.0.0/tests/saml2_response_xsw.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/saml2_response_xsw.xml
+@@ -0,0 +1,6 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
++<XSW_ATTACK>
++<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
++</XSW_ATTACK>
++</ns0:Response>
+Index: python-pysaml2-3.0.0/tests/test_xsw.py
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/test_xsw.py
+@@ -0,0 +1,44 @@
++from datetime import datetime
++from mock import Mock
++from mock import patch
++
++from saml2.config import config_factory
++from saml2.response import authn_response
++from saml2.sigver import SignatureError
++
++from dateutil import parser
++
++from pytest import raises
++
++from pathutils import dotname
++from pathutils import full_path
++
++
++XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
++
++
++class TestAuthnResponse:
++    def setup_class(self):
++        self.conf = config_factory("sp", dotname("server_conf"))
++        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
++
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_verify_signed_xsw(self, mock_validate_on_or_after):
++        self.ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(XML_RESPONSE_XSW) as fp:
++            xml_response = fp.read()
++
++        self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
++        self.ar.timeslack = 10000
++        self.ar.loads(xml_response, decode=False)
++
++        assert self.ar.came_from == 'http://localhost:8088/sso'
++        assert self.ar.session_id() == "id12"
++        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
++
++        with raises(SignatureError):
++            self.ar.verify()
++
++        assert self.ar.ava is None
++        assert self.ar.name_id is None
diff -Nru python-pysaml2-3.0.0/debian/patches/CVE-2021-21238.patch python-pysaml2-3.0.0/debian/patches/CVE-2021-21238.patch
--- python-pysaml2-3.0.0/debian/patches/CVE-2021-21238.patch	1970-01-01 10:00:00.000000000 +1000
+++ python-pysaml2-3.0.0/debian/patches/CVE-2021-21238.patch	2021-02-01 09:37:09.000000000 +1100
@@ -0,0 +1,402 @@
+From 3b707723dcf1bf60677b424aac398c0c3557641d Mon Sep 17 00:00:00 2001
+From: Ivan Kanakarakis <ivan.kanak@gmail.com>
+Date: Sat, 9 Jan 2021 00:31:13 +0200
+Subject: [PATCH] Fix CVE-2021-21238 - SAML XML Signature wrapping
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to
+verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML
+document against an XML schema. This allows invalid XML documents to trick the
+verification process, by presenting elements with a valid signature inside elements
+whose content has been malformed. The verification is offloaded to `xmlsec1` and
+`xmlsec1` will not validate every signature in the given document, but only the first it
+finds in the given scope.
+
+Credits for the report:
+
+- Victor Schönfelder Garcia (isits AG International School of IT Security)
+- Juraj Somorovsky (Paderborn University)
+- Vladislav Mladenov (Ruhr University Bochum)
+
+Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
+---
+ setup.cfg                                     |  1 +
+ src/saml2/sigver.py                           | 26 ++++++
+ src/saml2/xml/__init__.py                     |  0
+ src/saml2/xml/schema/__init__.py              | 74 +++++++++++++++
+ tests/test_xsw.py                             | 41 +++++++++
+ ...d-xsw-assertion-in-assertion-first-sig.xml | 85 +++++++++++++++++
+ ...ned-xsw-response-in-response-first-sig.xml | 91 +++++++++++++++++++
+ 7 files changed, 318 insertions(+)
+ create mode 100644 src/saml2/xml/__init__.py
+ create mode 100644 src/saml2/xml/schema/__init__.py
+ create mode 100644 tests/xsw/signed-xsw-assertion-in-assertion-first-sig.xml
+ create mode 100644 tests/xsw/signed-xsw-response-in-response-first-sig.xml
+
+Index: python-pysaml2-3.0.0/src/saml2/sigver.py
+===================================================================
+--- python-pysaml2-3.0.0.orig/src/saml2/sigver.py
++++ python-pysaml2-3.0.0/src/saml2/sigver.py
+@@ -66,6 +66,8 @@ from saml2.xmlenc import EncryptedKey
+ from saml2.xmlenc import CipherData
+ from saml2.xmlenc import CipherValue
+ from saml2.xmlenc import EncryptedData
++from saml2.xml.schema import node_to_schema
++from saml2.xml.schema import XMLSchemaError
+ 
+ logger = logging.getLogger(__name__)
+ 
+@@ -1461,6 +1463,30 @@ class SecurityContext(object):
+ 
+         #print(certs)
+ 
++        # validate XML with the appropriate schema
++        try:
++            _schema = node_to_schema[node_name]
++        except KeyError as e:
++            error_context = {
++                "message": "Signature verification failed. Unknown node type.",
++                "issuer": _issuer,
++                "type": node_name,
++                "document": decoded_xml,
++            }
++            raise SignatureError(error_context)
++
++        try:
++            _schema.validate(str(item))
++        except XMLSchemaError as e:
++            error_context = {
++                "message": "Signature verification failed. Invalid document format.",
++                "ID": item.id,
++                "issuer": _issuer,
++                "type": node_name,
++                "document": decoded_xml,
++            }
++            raise SignatureError(error_context)
++
+         # saml-core section "5.4 XML Signature Profile" defines constrains on the
+         # xmldsig-core facilities. It explicitly dictates that enveloped signatures
+         # are the only signatures allowed. This mean that:
+Index: python-pysaml2-3.0.0/src/saml2/xml/schema/__init__.py
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/src/saml2/xml/schema/__init__.py
+@@ -0,0 +1,74 @@
++from importlib_resources import path as _resource_path
++
++from xmlschema import XMLSchema as _XMLSchema
++from xmlschema.exceptions import XMLSchemaException as XMLSchemaError
++
++import saml2.data.schemas as _data_schemas
++
++
++def _create_xml_schema_validator(source, **kwargs):
++    kwargs = {
++        **kwargs,
++        "validation": "strict",
++        "locations": _locations,
++        "base_url": source,
++        "allow": "sandbox",
++        "use_fallback": False,
++    }
++    return _XMLSchema(source, **kwargs)
++
++
++with _resource_path(_data_schemas, "xml.xsd") as fp:
++    _path_schema_xml = str(fp)
++with _resource_path(_data_schemas, "envelope.xsd") as fp:
++    _path_schema_envelope = str(fp)
++with _resource_path(_data_schemas, "xenc-schema.xsd") as fp:
++    _path_schema_xenc = str(fp)
++with _resource_path(_data_schemas, "xmldsig-core-schema.xsd") as fp:
++    _path_schema_xmldsig_core = str(fp)
++with _resource_path(_data_schemas, "saml-schema-assertion-2.0.xsd") as fp:
++    _path_schema_saml_assertion = str(fp)
++with _resource_path(_data_schemas, "saml-schema-metadata-2.0.xsd") as fp:
++    _path_schema_saml_metadata = str(fp)
++with _resource_path(_data_schemas, "saml-schema-protocol-2.0.xsd") as fp:
++    _path_schema_saml_protocol = str(fp)
++
++_locations = {
++    "http://www.w3.org/XML/1998/namespace": _path_schema_xml,
++    "http://schemas.xmlsoap.org/soap/envelope/": _path_schema_envelope,
++    "http://www.w3.org/2001/04/xmlenc#": _path_schema_xenc,
++    "http://www.w3.org/2000/09/xmldsig#": _path_schema_xmldsig_core,
++    "urn:oasis:names:tc:SAML:2.0:assertion": _path_schema_saml_assertion,
++    "urn:oasis:names:tc:SAML:2.0:protocol": _path_schema_saml_protocol,
++}
++
++with _resource_path(_data_schemas, "saml-schema-assertion-2.0.xsd") as fp:
++    schema_saml_assertion = _create_xml_schema_validator(str(fp))
++with _resource_path(_data_schemas, "saml-schema-metadata-2.0.xsd") as fp:
++    schema_saml_metadata = _create_xml_schema_validator(str(fp))
++with _resource_path(_data_schemas, "saml-schema-protocol-2.0.xsd") as fp:
++    schema_saml_protocol = _create_xml_schema_validator(str(fp))
++
++
++node_to_schema = {
++    # AssertionType
++    "urn:oasis:names:tc:SAML:2.0:assertion:Assertion": schema_saml_assertion,
++    # EntitiesDescriptorType
++    "urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor": schema_saml_metadata,
++    # EntityDescriptorType
++    "urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor": schema_saml_metadata,
++    # RequestAbstractType
++    "urn:oasis:names:tc:SAML:2.0:protocol:AssertionIDRequest": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:SubjectQuery": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:ArtifactResolve": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:ManageNameIDRequest": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:LogoutRequest": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:NameIDMappingRequest": schema_saml_protocol,
++    # StatusResponseType
++    "urn:oasis:names:tc:SAML:2.0:protocol:Response": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:ArtifactResponse": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:ManageNameIDResponse": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:LogoutResponse": schema_saml_protocol,
++    "urn:oasis:names:tc:SAML:2.0:protocol:NameIDMappingResponse": schema_saml_protocol,
++}
+Index: python-pysaml2-3.0.0/tests/test_xsw.py
+===================================================================
+--- python-pysaml2-3.0.0.orig/tests/test_xsw.py
++++ python-pysaml2-3.0.0/tests/test_xsw.py
+@@ -16,6 +16,8 @@ from pathutils import full_path
+ 
+ XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
+ 
++SIGNED_ASSERTION_FIRST_SIG = full_path("xsw/signed-xsw-assertion-in-assertion-first-sig.xml")
++SIGNED_REPONSE_FIRST_SIG = full_path("xsw/signed-xsw-response-in-response-first-sig.xml")
+ 
+ class TestAuthnResponse:
+     def setup_class(self):
+@@ -42,3 +44,42 @@ class TestAuthnResponse:
+ 
+         assert self.ar.ava is None
+         assert self.ar.name_id is None
++
++
++class TestInvalidDepthFirstSig:
++    def setup_class(self):
++        self.conf = config_factory("sp", dotname("server_conf"))
++        self.ar = authn_response(self.conf, return_addrs="https://example.org/acs/post")
++
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_signed_assertion_first_sig_should_fail(self, mock_validate_on_or_after):
++        self.ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(SIGNED_ASSERTION_FIRST_SIG) as fp:
++            xml_response = fp.read()
++
++        self.ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
++        self.ar.timeslack = 10000
++        self.ar.loads(xml_response, decode=False)
++
++        assert self.ar.came_from == 'http://localhost:8088/sso'
++        assert self.ar.session_id() == "id-abc"
++        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
++
++        with raises(SignatureError):
++            self.ar.verify()
++
++        assert self.ar.ava is None
++        assert self.ar.name_id is None
++
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_signed_response_first_sig_should_fail(self, mock_validate_on_or_after):
++        self.ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(SIGNED_REPONSE_FIRST_SIG) as fp:
++            xml_response = fp.read()
++
++        self.ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
++        self.ar.timeslack = 10000
++        with raises(SignatureError):
++            self.ar.loads(xml_response, decode=False)
+Index: python-pysaml2-3.0.0/tests/xsw/signed-xsw-assertion-in-assertion-first-sig.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/xsw/signed-xsw-assertion-in-assertion-first-sig.xml
+@@ -0,0 +1,85 @@
++<?xml version="1.0"?>
++<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="the-response-id" InResponseTo="id-abc" Version="2.0" IssueInstant="2020-09-14T22:37:32Z" Destination="https://example.org/acs/post">
++	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:example.com:saml:roland:idp</saml:Issuer>
++	<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
++		<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
++	</samlp:Status>
++	<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="attack-assertion-id" IssueInstant="2020-09-14T22:37:32Z" Version="2.0">
++	<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="the-assertion-id" IssueInstant="2020-09-14T22:37:32Z" Version="2.0">
++		<saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++			<ds:SignedInfo>
++				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
++				<ds:Reference URI="#the-assertion-id">
++					<ds:Transforms>
++						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++					</ds:Transforms>
++					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
++					<ds:DigestValue>iLDF5/5VJs4sb3TasVTvFCsIi0k=</ds:DigestValue>
++				</ds:Reference>
++			</ds:SignedInfo>
++			<ds:SignatureValue>Ked5gvNcRhHCivVN9y9+5LDAZLqLhRg3Sw2xlRR4HP2am1mFoBDdUx4khEWdcC2dknbzfo2AC1AtcbHTogDLOSLzYX9sT/gj995qotu4fUFQPMiocbCZRpbXTI6iDRiytwYtAkw28yQ4FVCe99GUThbV9tpLIoqMPZYNJ3TmL/I=</ds:SignatureValue>
++			<ds:KeyInfo>
++				<ds:X509Data>
++					<ds:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ds:X509Certificate>
++				</ds:X509Data>
++			</ds:KeyInfo>
++		</ds:Signature>
++		<saml:Subject>
++			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">the-name-id</saml:NameID>
++			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++				<saml:SubjectConfirmationData InResponseTo="id-abc" NotOnOrAfter="2020-09-14T22:47:32Z" Recipient="https://example.org/acs/post"/>
++			</saml:SubjectConfirmation>
++		</saml:Subject>
++		<saml:Conditions NotBefore="2020-09-14T22:27:32Z" NotOnOrAfter="2020-09-14T22:47:32Z">
++			<saml:AudienceRestriction>
++				<saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
++			</saml:AudienceRestriction>
++		</saml:Conditions>
++		<saml:AuthnStatement AuthnInstant="2020-09-14T22:37:32Z" SessionIndex="id-sessidx">
++			<saml:AuthnContext>
++				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
++			</saml:AuthnContext>
++		</saml:AuthnStatement>
++	</saml:Assertion>
++		<saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++			<ds:SignedInfo>
++				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
++				<ds:Reference URI="#attack-assertion-id">
++					<ds:Transforms>
++						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++					</ds:Transforms>
++					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
++					<ds:DigestValue>dGhpcyBpcyBza2lwcGVkOyBvbmx5IHRoZSBmaXJzdCBzaWduYXR1cmUgaXMgcHJvY2Vzc2VkCg==</ds:DigestValue>
++				</ds:Reference>
++			</ds:SignedInfo>
++			<ds:SignatureValue>dGhpcyBpcyBza2lwcGVkOyBvbmx5IHRoZSBmaXJzdCBzaWduYXR1cmUgaXMgcHJvY2Vzc2VkCg==</ds:SignatureValue>
++			<ds:KeyInfo>
++				<ds:X509Data>
++					<ds:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ds:X509Certificate>
++				</ds:X509Data>
++			</ds:KeyInfo>
++		</ds:Signature>
++		<saml:Subject>
++			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID>
++			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++				<saml:SubjectConfirmationData InResponseTo="id-abc" NotOnOrAfter="2020-09-14T22:47:32Z" Recipient="https://example.org/acs/post"/>
++			</saml:SubjectConfirmation>
++		</saml:Subject>
++		<saml:Conditions NotBefore="2020-09-14T22:27:32Z" NotOnOrAfter="2020-09-14T22:47:32Z">
++			<saml:AudienceRestriction>
++				<saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
++			</saml:AudienceRestriction>
++		</saml:Conditions>
++		<saml:AuthnStatement AuthnInstant="2020-09-14T22:37:32Z" SessionIndex="id-sessidx">
++			<saml:AuthnContext>
++				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
++			</saml:AuthnContext>
++		</saml:AuthnStatement>
++	</saml:Assertion>
++</samlp:Response>
+Index: python-pysaml2-3.0.0/tests/xsw/signed-xsw-response-in-response-first-sig.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/xsw/signed-xsw-response-in-response-first-sig.xml
+@@ -0,0 +1,91 @@
++<?xml version="1.0"?>
++<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="attack-response-id" InResponseTo="id-abc" Version="2.0" IssueInstant="2020-09-14T22:37:32Z" Destination="https://example.org/acs/post">
++<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="the-response-id" InResponseTo="id-abc" Version="2.0" IssueInstant="2020-09-14T22:37:32Z" Destination="https://example.org/acs/post">
++	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:example.com:saml:roland:idp</saml:Issuer>
++	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++		<ds:SignedInfo>
++			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
++			<ds:Reference URI="#the-response-id">
++				<ds:Transforms>
++					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++				</ds:Transforms>
++				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
++				<ds:DigestValue>ykldcjeUTA6xMqk+BUQy9hvraOo=</ds:DigestValue>
++			</ds:Reference>
++		</ds:SignedInfo>
++		<ds:SignatureValue>TF6666UcgC3+ZO/CevRxvLAOjpZEttJm90J2j/vDfGBsjnIcAkHDO42x1u/VvrDXJrWpGmmAZ0vBcW8Hg+6qhXNQngzSfMfID+eE9OBf7Ptj1flAea1WrfvNQPFDy0qlriusYjc7tL6tFmUgwzhfzI3V8xPOH1Bxmh5Cl92JOk8=</ds:SignatureValue>
++		<ds:KeyInfo>
++			<ds:X509Data>
++				<ds:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ds:X509Certificate>
++			</ds:X509Data>
++		</ds:KeyInfo>
++	</ds:Signature>
++	<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
++		<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
++	</samlp:Status>
++	<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="the-assertion-id" IssueInstant="2020-09-14T22:37:32Z" Version="2.0">
++		<saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++		<saml:Subject>
++			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">the-name-id</saml:NameID>
++			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++				<saml:SubjectConfirmationData InResponseTo="id-abc" NotOnOrAfter="2020-09-14T22:47:32Z" Recipient="https://example.org/acs/post"/>
++			</saml:SubjectConfirmation>
++		</saml:Subject>
++		<saml:Conditions NotBefore="2020-09-14T22:27:32Z" NotOnOrAfter="2020-09-14T22:47:32Z">
++			<saml:AudienceRestriction>
++				<saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
++			</saml:AudienceRestriction>
++		</saml:Conditions>
++		<saml:AuthnStatement AuthnInstant="2020-09-14T22:37:32Z" SessionIndex="id-sessidx">
++			<saml:AuthnContext>
++				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
++			</saml:AuthnContext>
++		</saml:AuthnStatement>
++	</saml:Assertion>
++</samlp:Response>
++	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mace:example.com:saml:roland:idp</saml:Issuer>
++	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++		<ds:SignedInfo>
++			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
++			<ds:Reference URI="#attack-response-id">
++				<ds:Transforms>
++					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++				</ds:Transforms>
++				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
++				<ds:DigestValue>ykldcjeUTA6xMqk+BUQy9hvraOo=</ds:DigestValue>
++			</ds:Reference>
++		</ds:SignedInfo>
++		<ds:SignatureValue>TF6666UcgC3+ZO/CevRxvLAOjpZEttJm90J2j/vDfGBsjnIcAkHDO42x1u/VvrDXJrWpGmmAZ0vBcW8Hg+6qhXNQngzSfMfID+eE9OBf7Ptj1flAea1WrfvNQPFDy0qlriusYjc7tL6tFmUgwzhfzI3V8xPOH1Bxmh5Cl92JOk8=</ds:SignatureValue>
++		<ds:KeyInfo>
++			<ds:X509Data>
++				<ds:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ds:X509Certificate>
++			</ds:X509Data>
++		</ds:KeyInfo>
++	</ds:Signature>
++	<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
++		<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
++	</samlp:Status>
++	<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="the-assertion-id" IssueInstant="2020-09-14T22:37:32Z" Version="2.0">
++		<saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++		<saml:Subject>
++			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID>
++			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++				<saml:SubjectConfirmationData InResponseTo="id-abc" NotOnOrAfter="2020-09-14T22:47:32Z" Recipient="https://example.org/acs/post"/>
++			</saml:SubjectConfirmation>
++		</saml:Subject>
++		<saml:Conditions NotBefore="2020-09-14T22:27:32Z" NotOnOrAfter="2020-09-14T22:47:32Z">
++			<saml:AudienceRestriction>
++				<saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
++			</saml:AudienceRestriction>
++		</saml:Conditions>
++		<saml:AuthnStatement AuthnInstant="2020-09-14T22:37:32Z" SessionIndex="id-sessidx">
++			<saml:AuthnContext>
++				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
++			</saml:AuthnContext>
++		</saml:AuthnStatement>
++	</saml:Assertion>
++</samlp:Response>
diff -Nru python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch
--- python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch	1970-01-01 10:00:00.000000000 +1000
+++ python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch	2021-02-02 08:40:33.000000000 +1100
@@ -0,0 +1,273 @@
+From 751dbf50a51131b13d55989395f9b115045f9737 Mon Sep 17 00:00:00 2001
+From: Ivan Kanakarakis <ivan.kanak@gmail.com>
+Date: Mon, 4 Jan 2021 22:52:07 +0200
+Subject: [PATCH] Fix CVE-2021-21239 - Restrict the key data that xmlsec1
+ accepts to only x509 certs
+
+All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to
+verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not ensure that a
+signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is
+using the xmlsec1 binary to verify the signature of signed SAML documents, but by
+default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs
+to be configured explicitly to only use only x509 certificates for the verification
+process of the SAML document signature.
+
+Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
+---
+ src/saml2/sigver.py                           |  1 +
+ tests/test_xmlsec1_key_data.py                | 81 +++++++++++++++++++
+ .../signed-assertion-random-embedded-cert.xml | 47 +++++++++++
+ .../signed-assertion-with-hmac.xml            | 49 +++++++++++
+ .../signed-response-with-hmac.xml             | 49 +++++++++++
+ 5 files changed, 227 insertions(+)
+ create mode 100644 tests/test_xmlsec1_key_data.py
+ create mode 100644 tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml
+ create mode 100644 tests/xmlsec1-keydata/signed-assertion-with-hmac.xml
+ create mode 100644 tests/xmlsec1-keydata/signed-response-with-hmac.xml
+
+Index: python-pysaml2-3.0.0/tests/test_xmlsec1_key_data.py
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/test_xmlsec1_key_data.py
+@@ -0,0 +1,81 @@
++from datetime import datetime
++from dateutil import parser
++from unittest.mock import Mock
++from unittest.mock import patch
++
++from pytest import raises
++
++from saml2.config import config_factory
++from saml2.response import authn_response
++from saml2.sigver import SignatureError
++
++from pathutils import dotname
++from pathutils import full_path
++
++
++SIGNED_RESPONSE_HMAC = full_path("xmlsec1-keydata/signed-response-with-hmac.xml")
++SIGNED_ASSERTION_HMAC = full_path("xmlsec1-keydata/signed-assertion-with-hmac.xml")
++SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT = full_path("xmlsec1-keydata/signed-assertion-random-embedded-cert.xml")
++
++
++class TestAuthnResponse:
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_signed_response_with_hmac_should_fail(self, mock_validate_on_or_after):
++        conf = config_factory("sp", dotname("server_conf"))
++        ar = authn_response(conf, return_addrs="https://example.org/acs/post")
++        ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(SIGNED_RESPONSE_HMAC) as fp:
++            xml_response = fp.read()
++
++        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
++        ar.timeslack = 10000
++
++        # .loads checks the response signature
++        with raises(SignatureError):
++            ar.loads(xml_response, decode=False)
++
++        assert ar.ava is None
++        assert ar.name_id is None
++
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_signed_assertion_with_hmac_should_fail(self, mock_validate_on_or_after):
++        conf = config_factory("sp", dotname("server_conf"))
++        ar = authn_response(conf, return_addrs="https://example.org/acs/post")
++        ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(SIGNED_ASSERTION_HMAC) as fp:
++            xml_response = fp.read()
++
++        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
++        ar.timeslack = 10000
++
++        # .loads does not check the assertion, only the response signature
++        # use .verify to verify the contents of the response
++        assert ar.loads(xml_response, decode=False)
++        with raises(SignatureError):
++            ar.verify()
++
++        assert ar.ava is None
++        assert ar.name_id is None
++
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_signed_assertion_with_random_embedded_cert_should_be_ignored(self, mock_validate_on_or_after):
++        """
++        if the embedded cert is not ignored then verification will fail
++        """
++
++        conf = config_factory("sp", dotname("server_conf"))
++        ar = authn_response(conf, return_addrs="https://51.15.251.81.xip.io/acs/post")
++        ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT) as fp:
++            xml_response = fp.read()
++
++        ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"}
++        ar.timeslack = 10000
++
++        # .loads does not check the assertion, only the response signature
++        # use .verify to verify the contents of the response
++        assert ar.loads(xml_response, decode=False)
++        assert ar.verify()
+Index: python-pysaml2-3.0.0/tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml
+@@ -0,0 +1,47 @@
++<?xml version="1.0"?>
++<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-response-id" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://51.15.251.81.xip.io/acs/post">
++    <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++    <samlp:Status>
++        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
++    </samlp:Status>
++    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-assertion-id" IssueInstant="2020-12-04T07:48:09.600Z">
++        <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++            <ds:SignedInfo>
++                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
++                <ds:Reference URI="#the-assertion-id">
++                    <ds:Transforms>
++                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++                    </ds:Transforms>
++                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
++                    <ds:DigestValue>NHB0WhPWj5OyRz9N52fZrEBWK3dXT2pVVT54f4kg1tM=</ds:DigestValue>
++                </ds:Reference>
++            </ds:SignedInfo>
++            <ds:SignatureValue>Mo4ZheAEDvdPQwWvT5SOYZZ2IBELwtmBpdsn+Th+IvsanychWQ6JHYKTI8hl+3DigbqQwdsqet8n9sfdvr+D+Q7XozjVaFPdzUGC9d96Mn/vrc+JIP/ESoDjDUQEsoSBhUFlrbu7tPJDJehPgd/maIwd/GqEHWXFlm1ZWVCmaH8=</ds:SignatureValue>
++            <ds:KeyInfo>
++                <ds:X509Data>
++                    <ds:X509Certificate>MIIFLDCCBBSgAwIBAgISA3UxXAgBWRS1D74GOLiAjky6MA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTAxMTcyMDIxNTNaFw0yMTA0MTcyMDIxNTNaMB4xHDAaBgNVBAMTEzUxLjE1LjI1MS44MS54aXAuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkjSN9vZDOwE1m7g1vyiwBsKBKNItyy05BcHUkM8fabBcsavugT8uE4wYz5aeZrnKb5dbDLHaZe6Dl5GHgRO8s7REwSJ/BHT3/eMaEakLwIGE5/6QSWuBjOawPfmYarW5IqoITjSt/o/jxu3haouqbr7XYf1WOuZmc6iwGnEgm0+cVB4CA0VGnnLYfsjp9iMt3pFI8a8ipdwp5lfzZU+j8JMVEn6SZhNjjTAjcakBQmZv4Q5/yU6yqfGjG47DO62xB/PPbDy78hDorER2v8UkoDTGV4aZrZaNltHBUxNohIiQnkhuakMmbf0NhA2ExBJw6KTCCxfYkyUX3CgYzaAnxAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHD7gcF0sNITPqhwcUlFyOBrkxRFMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCEzUxLjE1LjI1MS44MS54aXAuaW8wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXcSOcqvAAAEAwBGMEQCIFhvPWYY+2VO55bHO1Sa9zJQk7B1kvCi7sfDCxAYp7mEAiBTKx6XD0GkfNGhji0LGuelvfD7gZOUSzURlJW1ahYcgQB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdxI5yq4AAAQDAEgwRgIhAONNwcNZ66IxsWcUNDS0B9KV8Kk4VS9b/wUFNBHAQl3SAiEAxO5GwgaK3glL/6L/J7qpiedJBAs3h5406MWC0v4uYZ8wDQYJKoZIhvcNAQELBQADggEBAAZgbgfOb4+uI9kMGF4fMiompHeUFDXGyIND6y4FsfWHJG4Fn3aG+VQN/UtHeO8UusjS13/2yw3O+PeNTstBl+q6Ssega8zTYx2j3h3RFqM9JR8SWa83B0UTgyaxX3PTmfegV4/RZxC7KQ8pqjcLwKJSTgZF6W40Jo16tKVoi0VQY/2Gre6E9D1tPVw//mDGJST/5IcbFvtr79uft76IA+T674qNgAriBKxWncSbGzE42w2QsYsGMHHJn3vKbNl7alll9eJBqvdi1Q7ay86oI7NDQ0PPwjnB0/i4BOO0qQBcBSUIPPEChcrooEqN9PwM20aoyIjje0rtDGSxnEQRrg0=</ds:X509Certificate>
++                    <ds:X509Certificate>MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFowMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1RoYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kHejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfLqjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9pO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2TwUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==</ds:X509Certificate>
++                </ds:X509Data>
++            </ds:KeyInfo>
++        </ds:Signature>
++        <saml:Subject>
++            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID>
++            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++                <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://51.15.251.81.xip.io/acs/post" InResponseTo="id-abc"/>
++            </saml:SubjectConfirmation>
++        </saml:Subject>
++        <saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z">
++            <saml:AudienceRestriction>
++                <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
++            </saml:AudienceRestriction>
++        </saml:Conditions>
++        <saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="_samling_8227405_474676521">
++            <saml:AuthnContext>
++                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
++            </saml:AuthnContext>
++        </saml:AuthnStatement>
++    </saml:Assertion>
++</samlp:Response>
+Index: python-pysaml2-3.0.0/tests/xmlsec1-keydata/signed-assertion-with-hmac.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/xmlsec1-keydata/signed-assertion-with-hmac.xml
+@@ -0,0 +1,49 @@
++<?xml version="1.0"?>
++<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theresponse" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://example.org/acs/post">
++    <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++    <samlp:Status>
++        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
++    </samlp:Status>
++    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theassertion" IssueInstant="2020-12-04T07:48:09.600Z">
++        <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++            <ds:SignedInfo>
++                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
++                <ds:Reference URI="#theassertion">
++                    <ds:Transforms>
++                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++                    </ds:Transforms>
++                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
++                    <ds:DigestValue>3eSifM9ENDpX4ore08DbmBaW3WrqLZMv57QMk0ACEPk=</ds:DigestValue>
++                </ds:Reference>
++            </ds:SignedInfo>
++            <ds:SignatureValue>8v8fec9UyJ5g/GcZmkrG3gQT/eI=</ds:SignatureValue>
++            <ds:KeyInfo>
++                <ds:KeyValue>
++                    <HMACKeyValue xmlns="http://www.aleksey.com/xmlsec/2002">Rk9PCg==</HMACKeyValue>
++                </ds:KeyValue>
++                <ds:X509Data>
++                    <ds:X509Certificate>MIICXgIBAAKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABAoGBAKD2emW6ssmyhfQ9ztYFuJ4FlwiJf5icKuf7L4BsMRgjoHawUvt/k69l9aPKxZNrB7BycV+7lOqU57FaOf1MWGeWzsU5bYUVpFzOVwsY4umtsO78QGKLZe+91Z+ktOlmL3scAymAgE88Jmr0g8FC46Vv4Sam7zMCtmOvA9fYog1ZAkEA8lAe+XihSuZI6IZcdRdB6QJ5cgAJoZdWKKtUovb5Ah2w4D/ebkfpsQJK44aSR5GbnrnqSaMeLJMRz++Td0edHwJBANTlUBzoo3ihcBOZ0VzGYgDIG8foCTEf3jDBYNYaY9RH/c4P50GkDa4PBqtf1f+VORwAsC2NTeY6HUEWMpvfXyUCQQChQ3FZ1k6B6oDbP5CI3NGgoWTx2dSPFojgyCWrz3IpVllA5UDDZFjC1SPCCO2Rc/Z9zH2ARG7we3B/UpJx79dBAkEAiPc6sk6NFQevpjyYcDqFRIF5NgQ3Ha6l8PIITdZOkXz7cX3Txuw3jNrH7KtMbxDe3AApWDUHf+21cnFIf/WWLQJAeG0KKBfZw1iRu9vlcYakGWRUSga78QDy08uHDtxQLXxOfSvm/y8N1KrEsXf/cJzHUGQJrqk8nLzR5mTRqnAZWA==</ds:X509Certificate>
++                </ds:X509Data>
++            </ds:KeyInfo>
++        </ds:Signature>
++        <saml:Subject>
++            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID>
++            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++                <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://example.org/acs/post" InResponseTo="id-abc"/>
++            </saml:SubjectConfirmation>
++        </saml:Subject>
++        <saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z">
++            <saml:AudienceRestriction>
++                <saml:Audience>https://example.org/sp.xml</saml:Audience>
++            </saml:AudienceRestriction>
++        </saml:Conditions>
++        <saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="_samling_8227405_474676521">
++            <saml:AuthnContext>
++                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
++            </saml:AuthnContext>
++        </saml:AuthnStatement>
++    </saml:Assertion>
++</samlp:Response>
+Index: python-pysaml2-3.0.0/tests/xmlsec1-keydata/signed-response-with-hmac.xml
+===================================================================
+--- /dev/null
++++ python-pysaml2-3.0.0/tests/xmlsec1-keydata/signed-response-with-hmac.xml
+@@ -0,0 +1,49 @@
++<?xml version="1.0"?>
++<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theresponse" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://example.org/acs/post">
++    <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
++        <ds:SignedInfo>
++            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
++            <ds:Reference URI="#theresponse">
++                <ds:Transforms>
++                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
++                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
++                </ds:Transforms>
++                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
++                <ds:DigestValue>/tLLJtWfBNGVGkPWs09wGxvKL/rPVWt5maNs9DWbHfQ=</ds:DigestValue>
++            </ds:Reference>
++        </ds:SignedInfo>
++        <ds:SignatureValue>iInSCge8AdweKTwZ9Z8P6e8Kb24=</ds:SignatureValue>
++        <ds:KeyInfo>
++            <ds:KeyValue>
++                <HMACKeyValue xmlns="http://www.aleksey.com/xmlsec/2002">Rk9PCg==</HMACKeyValue>
++            </ds:KeyValue>
++            <ds:X509Data>
++                <ds:X509Certificate>MIICXgIBAAKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABAoGBAKD2emW6ssmyhfQ9ztYFuJ4FlwiJf5icKuf7L4BsMRgjoHawUvt/k69l9aPKxZNrB7BycV+7lOqU57FaOf1MWGeWzsU5bYUVpFzOVwsY4umtsO78QGKLZe+91Z+ktOlmL3scAymAgE88Jmr0g8FC46Vv4Sam7zMCtmOvA9fYog1ZAkEA8lAe+XihSuZI6IZcdRdB6QJ5cgAJoZdWKKtUovb5Ah2w4D/ebkfpsQJK44aSR5GbnrnqSaMeLJMRz++Td0edHwJBANTlUBzoo3ihcBOZ0VzGYgDIG8foCTEf3jDBYNYaY9RH/c4P50GkDa4PBqtf1f+VORwAsC2NTeY6HUEWMpvfXyUCQQChQ3FZ1k6B6oDbP5CI3NGgoWTx2dSPFojgyCWrz3IpVllA5UDDZFjC1SPCCO2Rc/Z9zH2ARG7we3B/UpJx79dBAkEAiPc6sk6NFQevpjyYcDqFRIF5NgQ3Ha6l8PIITdZOkXz7cX3Txuw3jNrH7KtMbxDe3AApWDUHf+21cnFIf/WWLQJAeG0KKBfZw1iRu9vlcYakGWRUSga78QDy08uHDtxQLXxOfSvm/y8N1KrEsXf/cJzHUGQJrqk8nLzR5mTRqnAZWA==</ds:X509Certificate>
++            </ds:X509Data>
++        </ds:KeyInfo>
++    </ds:Signature>
++    <samlp:Status>
++        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
++    </samlp:Status>
++    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theassertion" IssueInstant="2020-12-04T07:48:09.600Z">
++        <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer>
++        <saml:Subject>
++            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID>
++            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
++                <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://example.org/acs/post" InResponseTo="id-abc"/>
++            </saml:SubjectConfirmation>
++        </saml:Subject>
++        <saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z">
++            <saml:AudienceRestriction>
++                <saml:Audience>https://example.org/sp.xml</saml:Audience>
++            </saml:AudienceRestriction>
++        </saml:Conditions>
++        <saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="_samling_8227405_474676521">
++            <saml:AuthnContext>
++                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
++            </saml:AuthnContext>
++        </saml:AuthnStatement>
++    </saml:Assertion>
++</samlp:Response>
diff -Nru python-pysaml2-3.0.0/debian/patches/series python-pysaml2-3.0.0/debian/patches/series
--- python-pysaml2-3.0.0/debian/patches/series	2020-02-20 07:45:47.000000000 +1100
+++ python-pysaml2-3.0.0/debian/patches/series	2021-02-02 08:40:41.000000000 +1100
@@ -1,2 +1,4 @@
 fix-xxe-in-xml-parsing.patch
 CVE-2020-5390.patch
+CVE-2021-21238.patch
+CVE-2021-21239.patch