[Bug 1610286] [NEW] [MIR] libapache2-mod-auth-mellon, liblasso3

Launchpad Bug Tracker 1610286 at bugs.launchpad.net
Fri Aug 5 14:54:19 UTC 2016 

You have been subscribed to a public bug:


[MIR] libapache2-mod-auth-mellon

[Availability]
Currently in universe.

[Rationale]
This module is required for OpenStack Keystone Federation: http://docs.openstack.org/developer/keystone/configure_federation.html

[Security]
No security history.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

[Dependencies]
All are in main except for liblasso3.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
Simple package that the OpenStack Team will take care of.

[Background]
mod_auth_mellon is a authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP

--------


[MIR] liblasso3 (lasso)

[Availability]
Currently in universe.

[Rationale]
liblasso3 is required by libapache2-mod-auth-mellon.

[Security]
CVE-2012-6426	LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

CVE-2009-0050   Lasso 2.2.1 and earlier does not properly check the
return value from the OpenSSL DSA_verify function, which allows remote
attackers to bypass validation of the certificate chain via a malformed
SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

CVE-2005-2605   Unknown vulnerability in Lasso Professional Server8.0.4
and 8.0.5 allows attackers to bypass authentication, related to [Auth]
tags.

CVE-2002-2118   Buffer overflow in Blue World Lasso Web Data Engine
3.6.5 allows remote attackers to cause a denial of service via a long
URL.

CVE-1999-1250   Vulnerability in CGI program in the Lasso application by
Blue World, as used on WebSTAR and other servers, allows remote
attackers to read arbitrary files.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

[Dependencies]
All are in main.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
The OpenStack Team will take care of this package.

[Background]
Lasso (Liberty Alliance Single Sign-On) is a free (GNU GPL) implementation of the Liberty Alliance specifications.  Those define processes for federated identities, single sign-on and related protocols.  Lasso provides both a C library and bindings for different languages.

homepage: http://lasso.entrouvert.or

** Affects: libapache2-mod-auth-mellon (Ubuntu)
     Importance: Undecided
         Status: New

-- 
[MIR] libapache2-mod-auth-mellon, liblasso3
https://bugs.launchpad.net/bugs/1610286
You received this bug notification because you are a member of Ubuntu OpenStack, which is subscribed to libapache2-mod-auth-mellon in Ubuntu.

More information about the Ubuntu-openstack-bugs mailing list