Ubuntu
lasso package

[CVE-2009-0050] - Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function

Bug #317181 reported by Stefan Lesicnik on 2009-01-14
256
Affects Status Importance Assigned to Milestone
lasso (Ubuntu)
Fix Released
Undecided
Stefan Lesicnik
Dapper
Fix Released
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Stefan Lesicnik
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

Stefan Lesicnik (stefanlsd) wrote :

Please sync lasso_2.2.1-2 from Debian Unstable (main) for Jaunty fix.

Changed in lasso:
assignee: nobody → stefanlsd
status: New → In Progress
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Jamie Strandboge (jdstrand) on 2009-01-14
Changed in lasso:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: In Progress → Confirmed
Jamie Strandboge (jdstrand) wrote :

Please sync lasso 2.2.1-2 from Debian unstable to Jaunty.

Changed in lasso:
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Thanks Stefan! I'm processing the Dapper-Intrepid debdiffs now.

Changed in lasso:
status: Fix Committed → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.0.0-1ubuntu1.1

---------------
lasso (2.0.0-1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: lasso does not properly check the return value from the
    OpenSSL DSA_verify function (LP: #317181).
    - lasso/xml/tools.c: Correctly check for signature validity.
    - CVE-2009-0050

 -- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 20:23:28 +0200

Changed in lasso:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.1.1-2ubuntu1.1

---------------
lasso (2.1.1-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: lasso does not properly check the return value from the
    OpenSSL DSA_verify function (LP: #317181).
    - lasso/xml/tools.c: Correctly check for signature validity.
    - CVE-2009-0050

 -- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 20:18:30 +0200

Changed in lasso:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.2.0-1ubuntu0.1

---------------
lasso (2.2.0-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: lasso does not properly check the return value from the
    OpenSSL DSA_verify function (LP: #317181).
    - lasso/xml/tools.c: Correctly check for signature validity.
    - CVE-2009-0050

 -- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 19:56:22 +0200

Changed in lasso:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) on 2009-01-15
Changed in lasso:
status: Fix Committed → Fix Released
Colin Watson (cjwatson) wrote :

[Updating] lasso (2.2.1-1 [Ubuntu] < 2.2.1-2 [Debian])
 * Trying to add lasso...
  - <lasso_2.2.1-2.dsc: downloading from http://ftp.debian.org/debian/>
  - <lasso_2.2.1-2.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <lasso_2.2.1.orig.tar.gz: already in distro - downloading from librarian>
I: lasso [universe] -> liblasso3-dev_2.2.1-1 [universe].
I: lasso [universe] -> liblasso3_2.2.1-1 [universe].
I: lasso [universe] -> python-lasso_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-java_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-perl_2.2.1-1 [universe].
I: lasso [universe] -> php5-lasso_2.2.1-1 [universe].

Colin Watson (cjwatson) wrote :

[Updating] lasso (2.2.1-1 [Ubuntu] < 2.2.1-2 [Debian])
 * Trying to add lasso...
  - <lasso_2.2.1-2.dsc: cached>
  - <lasso_2.2.1-2.diff.gz: cached>
  - <lasso_2.2.1.orig.tar.gz: already in distro - downloading from librarian>
I: lasso [universe] -> liblasso3-dev_2.2.1-1 [universe].
I: lasso [universe] -> liblasso3_2.2.1-1 [universe].
I: lasso [universe] -> python-lasso_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-java_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-perl_2.2.1-1 [universe].
I: lasso [universe] -> php5-lasso_2.2.1-1 [universe].

Colin Watson (cjwatson) wrote :

(Sorry about the duplicate comment there.)

Changed in lasso:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments