[Bug 1610286] Re: [MIR] libapache2-mod-auth-mellon, liblasso3

Matthias Klose doko at ubuntu.com
Tue Apr 3 12:06:48 UTC 2018 

Override component to main
lasso 2.5.1-0ubuntu1 in bionic: universe/libs -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic amd64: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic arm64: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic armhf: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic i386: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic ppc64el: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic s390x: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic amd64: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic arm64: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic armhf: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic i386: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic ppc64el: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic s390x: universe/libs/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic amd64: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic arm64: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic armhf: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic i386: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic ppc64el: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic s390x: universe/libdevel/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic amd64: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic arm64: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic armhf: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic i386: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic ppc64el: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic s390x: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic amd64: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic arm64: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic armhf: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic i386: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic ppc64el: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic s390x: universe/python/optional/100% -> main


** Changed in: lasso (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-mellon in Ubuntu.
https://bugs.launchpad.net/bugs/1610286

Title:
  [MIR] libapache2-mod-auth-mellon, liblasso3

Status in lasso package in Ubuntu:
  Fix Released
Status in libapache2-mod-auth-mellon package in Ubuntu:
  Fix Released

Bug description:
  
  [MIR] libapache2-mod-auth-mellon

  [Availability]
  Currently in universe.

  [Rationale]
  This module is required for OpenStack Keystone Federation: http://docs.openstack.org/developer/keystone/configure_federation.html

  [Security]
  No security history.

  [Quality Assurance]
  Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

  [Dependencies]
  All are in main except for liblasso3.

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  Simple package that the OpenStack Team will take care of.

  [Background]
  mod_auth_mellon is a authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP

  --------

  
  [MIR] liblasso3 (lasso)

  [Availability]
  Currently in universe.

  [Rationale]
  liblasso3 is required by libapache2-mod-auth-mellon.

  [Security]
  CVE-2012-6426	LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

  CVE-2009-0050   Lasso 2.2.1 and earlier does not properly check the
  return value from the OpenSSL DSA_verify function, which allows remote
  attackers to bypass validation of the certificate chain via a
  malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

  CVE-2005-2605   Unknown vulnerability in Lasso Professional
  Server8.0.4 and 8.0.5 allows attackers to bypass authentication,
  related to [Auth] tags.

  CVE-2002-2118   Buffer overflow in Blue World Lasso Web Data Engine
  3.6.5 allows remote attackers to cause a denial of service via a long
  URL.

  CVE-1999-1250   Vulnerability in CGI program in the Lasso application
  by Blue World, as used on WebSTAR and other servers, allows remote
  attackers to read arbitrary files.

  [Quality Assurance]
  Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

  [Dependencies]
  All are in main.

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  The OpenStack Team will take care of this package.

  [Background]
  Lasso (Liberty Alliance Single Sign-On) is a free (GNU GPL) implementation of the Liberty Alliance specifications.  Those define processes for federated identities, single sign-on and related protocols.  Lasso provides both a C library and bindings for different languages.

  homepage: http://lasso.entrouvert.or

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1610286/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list