[CVE-2009-0050] - Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| lasso (Ubuntu) |
Undecided
|
Stefan Lesicnik | ||
| Dapper |
Undecided
|
Unassigned | ||
| Gutsy |
Undecided
|
Unassigned | ||
| Hardy |
Undecided
|
Unassigned | ||
| Intrepid |
Undecided
|
Unassigned | ||
| Jaunty |
Undecided
|
Stefan Lesicnik |
Bug Description
Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
CVE References
Stefan Lesicnik (stefanlsd) wrote : | #1 |
Changed in lasso: | |
assignee: | nobody → stefanlsd |
status: | New → In Progress |
Stefan Lesicnik (stefanlsd) wrote : | #2 |
Stefan Lesicnik (stefanlsd) wrote : | #3 |
Stefan Lesicnik (stefanlsd) wrote : | #4 |
Stefan Lesicnik (stefanlsd) wrote : | #5 |
Changed in lasso: | |
status: | New → Confirmed |
status: | New → Confirmed |
status: | New → Confirmed |
status: | New → Confirmed |
status: | In Progress → Confirmed |
Jamie Strandboge (jdstrand) wrote : | #6 |
Please sync lasso 2.2.1-2 from Debian unstable to Jaunty.
Changed in lasso: | |
status: | Confirmed → Fix Committed |
status: | Confirmed → Fix Committed |
status: | Confirmed → Fix Committed |
status: | Confirmed → Fix Committed |
status: | Confirmed → Fix Committed |
Jamie Strandboge (jdstrand) wrote : | #7 |
Thanks Stefan! I'm processing the Dapper-Intrepid debdiffs now.
Changed in lasso: | |
status: | Fix Committed → Confirmed |
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package lasso - 2.0.0-1ubuntu1.1
---------------
lasso (2.0.0-1ubuntu1.1) gutsy-security; urgency=low
* SECURITY UPDATE: lasso does not properly check the return value from the
OpenSSL DSA_verify function (LP: #317181).
- lasso/xml/tools.c: Correctly check for signature validity.
- CVE-2009-0050
-- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 20:23:28 +0200
Changed in lasso: | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package lasso - 2.1.1-2ubuntu1.1
---------------
lasso (2.1.1-2ubuntu1.1) hardy-security; urgency=low
* SECURITY UPDATE: lasso does not properly check the return value from the
OpenSSL DSA_verify function (LP: #317181).
- lasso/xml/tools.c: Correctly check for signature validity.
- CVE-2009-0050
-- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 20:18:30 +0200
Changed in lasso: | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package lasso - 2.2.0-1ubuntu0.1
---------------
lasso (2.2.0-1ubuntu0.1) intrepid-security; urgency=low
* SECURITY UPDATE: lasso does not properly check the return value from the
OpenSSL DSA_verify function (LP: #317181).
- lasso/xml/tools.c: Correctly check for signature validity.
- CVE-2009-0050
-- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 19:56:22 +0200
Changed in lasso: | |
status: | Fix Committed → Fix Released |
Changed in lasso: | |
status: | Fix Committed → Fix Released |
Colin Watson (cjwatson) wrote : | #11 |
[Updating] lasso (2.2.1-1 [Ubuntu] < 2.2.1-2 [Debian])
* Trying to add lasso...
- <lasso_2.2.1-2.dsc: downloading from http://
- <lasso_
- <lasso_
I: lasso [universe] -> liblasso3-
I: lasso [universe] -> liblasso3_2.2.1-1 [universe].
I: lasso [universe] -> python-
I: lasso [universe] -> liblasso-
I: lasso [universe] -> liblasso-
I: lasso [universe] -> php5-lasso_2.2.1-1 [universe].
Colin Watson (cjwatson) wrote : | #13 |
[Updating] lasso (2.2.1-1 [Ubuntu] < 2.2.1-2 [Debian])
* Trying to add lasso...
- <lasso_2.2.1-2.dsc: cached>
- <lasso_
- <lasso_
I: lasso [universe] -> liblasso3-
I: lasso [universe] -> liblasso3_2.2.1-1 [universe].
I: lasso [universe] -> python-
I: lasso [universe] -> liblasso-
I: lasso [universe] -> liblasso-
I: lasso [universe] -> php5-lasso_2.2.1-1 [universe].
Colin Watson (cjwatson) wrote : | #14 |
(Sorry about the duplicate comment there.)
Changed in lasso: | |
status: | Confirmed → Fix Released |
Please sync lasso_2.2.1-2 from Debian Unstable (main) for Jaunty fix.