Package "lasso"

  lasso (2.7.0-2ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in lasso_provider_verify_saml_signature
    - debian/patches/CVE-2025-46404.patch: check xmlSecGetNodeNsHref for
      possible NULL result in lasso/id-ff/provider.c.
    - CVE-2025-46404
  * SECURITY UPDATE: DoS in g_assert_not_reached
    - debian/patches/CVE-2025-46705-pre1.patch: test that inserted comment
      do not change node value in bindings/python/tests/profiles_tests.py,
      lasso/xml/xml.c.
    - debian/patches/CVE-2025-46705.patch: do not terminate on an unknown
      XML node type in lasso/xml/xml.c.
    - CVE-2025-46705
  * SECURITY UPDATE: DoS in lasso_node_init_from_message_with_format
    - debian/patches/CVE-2025-46784-1.patch: add new define
      LASSO_XMLSEC_VERSION_NUMBER allow version check on libxmlsec in
      configure.ac.
    - debian/patches/CVE-2025-46784-2.patch: make lasso_inflate output the
      inflated buffer size in lasso/xml/tools.c.
    - debian/patches/CVE-2025-46784-3.patch: adapt lasso_base64_decode to
      the deprecation of xmlSecBase64Decode in lasso/xml/tools.c.
    - debian/patches/CVE-2025-46784-4.patch: replace all use of
      xmlSecBase64Decode by lasso_base64_decode in lasso/id-ff/login.c,
      lasso/id-ff/provider.c, lasso/id-ff/session.c,
      lasso/saml-2.0/profile.c, lasso/xml/tools.c, lasso/xml/xml.c.
    - CVE-2025-46784
  * SECURITY UPDATE: type confusion issue in lasso_node_impl_init_from_xml
    - debian/patches/CVE-2025-47151.patch: prevent assignment of attribute
      value inside any attribute in lasso/xml/misc_text_node.c,
      lasso/xml/saml-2.0/saml2_attribute_value.c, lasso/xml/xml.c.
    - CVE-2025-47151

 -- Marc Deslauriers <email address hidden> Mon, 17 Nov 2025 09:15:05 -0500