Univention Bugzilla – Bug 53440
lasso: Multiple issues (4.4)
Last modified: 2021-06-23 16:21:39 CEST
New Debian lasso 2.5.0-5+deb9u1 fixes: This update addresses the following issue: * XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/lasso_2.5.0-5+b1A~4.3.0.201711231254.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/lasso_2.5.0-5+deb9u1.dsc @@ -1,7 +1,7 @@ -2.5.0-5+b1A~4.3.0.201711231254 [Thu, 23 Nov 2017 16:04:23 +0100] Univention builddaemon <buildd@univention.de>: +2.5.0-5+deb9u1 [Fri, 04 Jun 2021 09:04:17 +0200] Yadd <yadd@debian.org>: - * UCS auto build. The following patches have been applied to the original source package - 10_expose_lasso_provider_verify_saml_signature + * Fix signature checking on unsigned response with multiple assertions + (Closes: CVE-2021-28091) 2.5.0-5 [Thu, 05 May 2016 11:11:01 +0200] Frederic Peters <fpeters@debian.org>: <http://piuparts.knut.univention.de/4.4-8/#5258144055970343194>
The ucs 4.3 lasso patch was not adapted for the new version. Fixed in patches svn r19382 ef800821 yaml lasso 2.5.0-5+deb9u1A~4.4.0.202106161816
--- mirror/ftp/4.3/unmaintained/4.3-0/source/lasso_2.5.0-5+b1A~4.3.0.201711231254.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/lasso_2.5.0-5+deb9u1A~4.4.0.202106161816.dsc @@ -1,7 +1,12 @@ -2.5.0-5+b1A~4.3.0.201711231254 [Thu, 23 Nov 2017 16:04:23 +0100] Univention builddaemon <buildd@univention.de>: +2.5.0-5+deb9u1A~4.4.0.202106161816 [Wed, 16 Jun 2021 18:16:07 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 10_expose_lasso_provider_verify_saml_signature + +2.5.0-5+deb9u1 [Fri, 04 Jun 2021 09:04:17 +0200] Yadd <yadd@debian.org>: + + * Fix signature checking on unsigned response with multiple assertions + (Closes: CVE-2021-28091) 2.5.0-5 [Thu, 05 May 2016 11:11:01 +0200] Frederic Peters <fpeters@debian.org>: <http://piuparts.knut.univention.de/4.4-8/#1189639930173866019>
OK: yaml OK: announce_errata OK: patch OK: piuparts
<https://errata.software-univention.de/#/?erratum=4.4x994>