Univention Bugzilla – Bug 53401
lasso: Multiple issues (5.0)
Last modified: 2021-06-09 19:26:03 CEST
New Debian lasso 2.6.0-2+deb10u1A~5.0.0.202106051546 fixes: This update addresses the following issue: * XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091)
--- mirror/ftp/pool/main/l/lasso/lasso_2.6.0-2+b2A~5.0.0.202104091504.dsc +++ apt/ucs_5.0-0-errata5.0-0/source/lasso_2.6.0-2+deb10u1A~5.0.0.202106051546.dsc @@ -1,7 +1,13 @@ -2.6.0-2+b2A~5.0.0.202104091504 [Fri, 09 Apr 2021 15:30:14 +0200] Univention builddaemon <buildd@univention.de>: +2.6.0-2+deb10u1A~5.0.0.202106051546 [Sat, 05 Jun 2021 15:56:35 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 10_expose_lasso_provider_verify_saml_signature + +2.6.0-2+deb10u1 [Wed, 02 Jun 2021 20:54:32 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Fix signature checking on unsigned response with multiple assertions + (CVE-2021-28091) 2.6.0-2 [Fri, 15 Jun 2018 21:33:58 +0200] Frederic Peters <fpeters@debian.org>: <http://piuparts.knut.univention.de/5.0-0/#4290073528576332979>
OK: yaml OK: announce_errata OK: patch OK: piuparts
<https://errata.software-univention.de/#/?erratum=5.0x5>