[MIR] libapache2-mod-auth-mellon, liblasso3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lasso (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
libapache2-mod-auth-mellon (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[MIR] libapache2-
[Availability]
Currently in universe.
[Rationale]
This module is required for OpenStack Keystone Federation: http://
[Security]
No security history.
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.
[Dependencies]
All are in main except for liblasso3.
[Standards Compliance]
FHS and Debian Policy compliant.
[Maintenance]
Simple package that the OpenStack Team will take care of.
[Background]
mod_auth_mellon is a authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP
--------
[MIR] liblasso3 (lasso)
[Availability]
Currently in universe.
[Rationale]
liblasso3 is required by libapache2-
[Security]
CVE-2012-6426 LemonLDAP::NG before 1.2.3 does not use the signature-
CVE-2009-0050 Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
CVE-2005-2605 Unknown vulnerability in Lasso Professional Server8.0.4 and 8.0.5 allows attackers to bypass authentication, related to [Auth] tags.
CVE-2002-2118 Buffer overflow in Blue World Lasso Web Data Engine 3.6.5 allows remote attackers to cause a denial of service via a long URL.
CVE-1999-1250 Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files.
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.
[Dependencies]
All are in main.
[Standards Compliance]
FHS and Debian Policy compliant.
[Maintenance]
The OpenStack Team will take care of this package.
[Background]
Lasso (Liberty Alliance Single Sign-On) is a free (GNU GPL) implementation of the Liberty Alliance specifications. Those define processes for federated identities, single sign-on and related protocols. Lasso provides both a C library and bindings for different languages.
homepage: http://
affects: | ubuntu → libapache2-mod-auth-mellon (Ubuntu) |
Changed in lasso (Ubuntu): | |
status: | Incomplete → New |
libapache2- mod-auth- mellon has no security history? The last changelog entry has this:
- Fixes Denial of Service issues [CVE-2016-2145, CVE-2016-2146].
Looks like both of these are security sensitive, will pass to security team.