New Debian lasso 2.8.1-1+deb12u1 fixes: This update addresses the following issues: 2.8.1-1+deb12u1 (Fri, 07 Nov 2025 21:51:12 +0100) * Non-maintainer upload by the Security Team. * tests: test that inserted comment do not change node value and still validate signature * xml: prevent assignment of attribute value inside any attribute (CVE-2025-47151) * misc: check xmlSecGetNodeNsHref for possible NULL result (CVE-2025-46404) * xml: do not terminate on an unknown XML node type (CVE-2025-46705)
--- mirror/ftp/pool/main/l/lasso/lasso_2.8.1-1+b1A~5.2.0.202305190934.dsc +++ apt/ucs_5.2-0-errata5.2-3/source/lasso_2.8.1-1+deb12u1.dsc @@ -1,8 +1,12 @@ -2.8.1-1+b1A~5.2.0.202305190934 [Fri, 19 May 2023 10:20:18 +0200] Univention builddaemon <buildd@univention.de>: +2.8.1-1+deb12u1 [Fri, 07 Nov 2025 21:51:12 +0100] Salvatore Bonaccorso <carnil@debian.org>: - * UCS auto build. The following patches have been applied to the original source package - 00_ftbfs.patch - 10_expose_lasso_provider_verify_saml_signature.quilt + * Non-maintainer upload by the Security Team. + * tests: test that inserted comment do not change node value and still + validate signature + * xml: prevent assignment of attribute value inside any attribute + (CVE-2025-47151) + * misc: check xmlSecGetNodeNsHref for possible NULL result (CVE-2025-46404) + * xml: do not terminate on an unknown XML node type (CVE-2025-46705) 2.8.1-1 [Wed, 01 Mar 2023 08:36:25 +0100] Frederic Peters <fpeters@debian.org>: <http://piuparts.knut.univention.de/5.2-3/#4952862154127316513>
--- mirror/ftp/pool/main/l/lasso/lasso_2.8.1-1+b1A~5.2.0.202305190934.dsc +++ apt/ucs_5.2-0-errata5.2-3/source/lasso_2.8.1-1+deb12u1~5.2.3.202511181226.dsc @@ -1,4 +1,4 @@ -2.8.1-1+b1A~5.2.0.202305190934 [Fri, 19 May 2023 10:20:18 +0200] Univention builddaemon <buildd@univention.de>: +2.8.1-1+deb12u1~5.2.3.202511181226 [Tue, 18 Nov 2025 12:45:34 -0000] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 00_ftbfs.patch <http://piuparts.knut.univention.de/5.2-3/#7970110815763978208>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.2-3] 7f5420763b chore(lasso): create advisory for 2.8.1-1+deb12u1~5.2.3.202511181226 doc/errata/staging/lasso.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [5.2-3] b3dbf00c7b chore(lasso): create advisory for 2.8.1-1+deb12u1 doc/errata/staging/lasso.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
This breaks SAML login: python3: unable to dlopen /usr/lib/x86_64-linux-gnu/sasl2/libsaml.so: /usr/lib/x86_64-linux-gnu/sasl2/libsaml.so: undefined symbol: lasso_provider_verify_saml_signature
(In reply to Quality Assurance from comment #2) > --- mirror/ftp/pool/main/l/lasso/lasso_2.8.1-1+b1A~5.2.0.202305190934.dsc > +++ > apt/ucs_5.2-0-errata5.2-3/source/lasso_2.8.1-1+deb12u1~5.2.3.202511181226.dsc > @@ -1,4 +1,4 @@ > -2.8.1-1+b1A~5.2.0.202305190934 [Fri, 19 May 2023 10:20:18 +0200] Univention > builddaemon <buildd@univention.de>: > +2.8.1-1+deb12u1~5.2.3.202511181226 [Tue, 18 Nov 2025 12:45:34 -0000] > Univention builddaemon <buildd@univention.de>: > > * UCS auto build. The following patches have been applied to the original > source package > 00_ftbfs.patch > > <http://piuparts.knut.univention.de/5.2-3/#7970110815763978208> This shows patch > - 10_expose_lasso_provider_verify_saml_signature.quilt was not applied to the new version
--- mirror/ftp/pool/main/l/lasso/lasso_2.8.1-1+b1A~5.2.0.202305190934.dsc +++ apt/ucs_5.2-0-errata5.2-3/source/lasso_2.8.1-1+deb12u1A~5.2.3.202511190929.dsc @@ -1,8 +1,18 @@ -2.8.1-1+b1A~5.2.0.202305190934 [Fri, 19 May 2023 10:20:18 +0200] Univention builddaemon <buildd@univention.de>: +2.8.1-1+deb12u1A~5.2.3.202511190929 [Wed, 19 Nov 2025 09:29:40 -0000] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 00_ftbfs.patch 10_expose_lasso_provider_verify_saml_signature.quilt + +2.8.1-1+deb12u1 [Fri, 07 Nov 2025 21:51:12 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * tests: test that inserted comment do not change node value and still + validate signature + * xml: prevent assignment of attribute value inside any attribute + (CVE-2025-47151) + * misc: check xmlSecGetNodeNsHref for possible NULL result (CVE-2025-46404) + * xml: do not terminate on an unknown XML node type (CVE-2025-46705) 2.8.1-1 [Wed, 01 Mar 2023 08:36:25 +0100] Frederic Peters <fpeters@debian.org>: <http://piuparts.knut.univention.de/5.2-3/#5682229496916516281>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.2-3] ae14a696f6 chore(lasso): create advisory for 2.8.1-1+deb12u1A~5.2.3.202511190929 doc/errata/staging/lasso.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [5.2-3] 7f5420763b chore(lasso): create advisory for 2.8.1-1+deb12u1~5.2.3.202511181226 doc/errata/staging/lasso.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [5.2-3] b3dbf00c7b chore(lasso): create advisory for 2.8.1-1+deb12u1 doc/errata/staging/lasso.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.2x291>