[Bug 1610286] [NEW] [MIR] libapache2-mod-auth-mellon, liblasso3
Corey Bryant
corey.bryant at canonical.com
Fri Aug 5 14:54:03 UTC 2016
Public bug reported:
[MIR] libapache2-mod-auth-mellon
[Availability]
Currently in universe.
[Rationale]
This module is required for OpenStack Keystone Federation: http://docs.openstack.org/developer/keystone/configure_federation.html
[Security]
No security history.
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.
[Dependencies]
All are in main except for liblasso3.
[Standards Compliance]
FHS and Debian Policy compliant.
[Maintenance]
Simple package that the OpenStack Team will take care of.
[Background]
mod_auth_mellon is a authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP
--------
[MIR] liblasso3 (lasso)
[Availability]
Currently in universe.
[Rationale]
liblasso3 is required by libapache2-mod-auth-mellon.
[Security]
CVE-2012-6426 LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.
CVE-2009-0050 Lasso 2.2.1 and earlier does not properly check the
return value from the OpenSSL DSA_verify function, which allows remote
attackers to bypass validation of the certificate chain via a malformed
SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
CVE-2005-2605 Unknown vulnerability in Lasso Professional Server8.0.4
and 8.0.5 allows attackers to bypass authentication, related to [Auth]
tags.
CVE-2002-2118 Buffer overflow in Blue World Lasso Web Data Engine
3.6.5 allows remote attackers to cause a denial of service via a long
URL.
CVE-1999-1250 Vulnerability in CGI program in the Lasso application by
Blue World, as used on WebSTAR and other servers, allows remote
attackers to read arbitrary files.
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.
[Dependencies]
All are in main.
[Standards Compliance]
FHS and Debian Policy compliant.
[Maintenance]
The OpenStack Team will take care of this package.
[Background]
Lasso (Liberty Alliance Single Sign-On) is a free (GNU GPL) implementation of the Liberty Alliance specifications. Those define processes for federated identities, single sign-on and related protocols. Lasso provides both a C library and bindings for different languages.
homepage: http://lasso.entrouvert.or
** Affects: lasso (Ubuntu)
Importance: Undecided
Status: New
** Affects: libapache2-mod-auth-mellon (Ubuntu)
Importance: Undecided
Status: New
** Package changed: ubuntu => libapache2-mod-auth-mellon (Ubuntu)
** Also affects: lasso (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-mellon in Ubuntu.
https://bugs.launchpad.net/bugs/1610286
Title:
[MIR] libapache2-mod-auth-mellon, liblasso3
Status in lasso package in Ubuntu:
New
Status in libapache2-mod-auth-mellon package in Ubuntu:
New
Bug description:
[MIR] libapache2-mod-auth-mellon
[Availability]
Currently in universe.
[Rationale]
This module is required for OpenStack Keystone Federation: http://docs.openstack.org/developer/keystone/configure_federation.html
[Security]
No security history.
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.
[Dependencies]
All are in main except for liblasso3.
[Standards Compliance]
FHS and Debian Policy compliant.
[Maintenance]
Simple package that the OpenStack Team will take care of.
[Background]
mod_auth_mellon is a authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP
--------
[MIR] liblasso3 (lasso)
[Availability]
Currently in universe.
[Rationale]
liblasso3 is required by libapache2-mod-auth-mellon.
[Security]
CVE-2012-6426 LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.
CVE-2009-0050 Lasso 2.2.1 and earlier does not properly check the
return value from the OpenSSL DSA_verify function, which allows remote
attackers to bypass validation of the certificate chain via a
malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
CVE-2005-2605 Unknown vulnerability in Lasso Professional
Server8.0.4 and 8.0.5 allows attackers to bypass authentication,
related to [Auth] tags.
CVE-2002-2118 Buffer overflow in Blue World Lasso Web Data Engine
3.6.5 allows remote attackers to cause a denial of service via a long
URL.
CVE-1999-1250 Vulnerability in CGI program in the Lasso application
by Blue World, as used on WebSTAR and other servers, allows remote
attackers to read arbitrary files.
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.
[Dependencies]
All are in main.
[Standards Compliance]
FHS and Debian Policy compliant.
[Maintenance]
The OpenStack Team will take care of this package.
[Background]
Lasso (Liberty Alliance Single Sign-On) is a free (GNU GPL) implementation of the Liberty Alliance specifications. Those define processes for federated identities, single sign-on and related protocols. Lasso provides both a C library and bindings for different languages.
homepage: http://lasso.entrouvert.or
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1610286/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list