Ubuntu
lasso package

[CVE-2009-0050] - Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function

Bug #317181 reported by Stefan Lesicnik
256
Affects Status Importance Assigned to Milestone
lasso (Ubuntu)
Fix Released
Undecided
Stefan Lesicnik
Dapper
Fix Released
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Stefan Lesicnik

Bug Description

Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Please sync lasso_2.2.1-2 from Debian Unstable (main) for Jaunty fix.

Changed in lasso:
assignee: nobody → stefanlsd
status: New → In Progress
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Jamie Strandboge (jdstrand)
Changed in lasso:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: In Progress → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Please sync lasso 2.2.1-2 from Debian unstable to Jaunty.

Changed in lasso:
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks Stefan! I'm processing the Dapper-Intrepid debdiffs now.

Changed in lasso:
status: Fix Committed → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.0.0-1ubuntu1.1

---------------
lasso (2.0.0-1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: lasso does not properly check the return value from the
    OpenSSL DSA_verify function (LP: #317181).
    - lasso/xml/tools.c: Correctly check for signature validity.
    - CVE-2009-0050

 -- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 20:23:28 +0200

Changed in lasso:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.1.1-2ubuntu1.1

---------------
lasso (2.1.1-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: lasso does not properly check the return value from the
    OpenSSL DSA_verify function (LP: #317181).
    - lasso/xml/tools.c: Correctly check for signature validity.
    - CVE-2009-0050

 -- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 20:18:30 +0200

Changed in lasso:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.2.0-1ubuntu0.1

---------------
lasso (2.2.0-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: lasso does not properly check the return value from the
    OpenSSL DSA_verify function (LP: #317181).
    - lasso/xml/tools.c: Correctly check for signature validity.
    - CVE-2009-0050

 -- Stefan Lesicnik <email address hidden> Wed, 14 Jan 2009 19:56:22 +0200

Changed in lasso:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in lasso:
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

[Updating] lasso (2.2.1-1 [Ubuntu] < 2.2.1-2 [Debian])
 * Trying to add lasso...
  - <lasso_2.2.1-2.dsc: downloading from http://ftp.debian.org/debian/>
  - <lasso_2.2.1-2.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <lasso_2.2.1.orig.tar.gz: already in distro - downloading from librarian>
I: lasso [universe] -> liblasso3-dev_2.2.1-1 [universe].
I: lasso [universe] -> liblasso3_2.2.1-1 [universe].
I: lasso [universe] -> python-lasso_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-java_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-perl_2.2.1-1 [universe].
I: lasso [universe] -> php5-lasso_2.2.1-1 [universe].

Revision history for this message
Colin Watson (cjwatson) wrote :

[Updating] lasso (2.2.1-1 [Ubuntu] < 2.2.1-2 [Debian])
 * Trying to add lasso...
  - <lasso_2.2.1-2.dsc: cached>
  - <lasso_2.2.1-2.diff.gz: cached>
  - <lasso_2.2.1.orig.tar.gz: already in distro - downloading from librarian>
I: lasso [universe] -> liblasso3-dev_2.2.1-1 [universe].
I: lasso [universe] -> liblasso3_2.2.1-1 [universe].
I: lasso [universe] -> python-lasso_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-java_2.2.1-1 [universe].
I: lasso [universe] -> liblasso-perl_2.2.1-1 [universe].
I: lasso [universe] -> php5-lasso_2.2.1-1 [universe].

Revision history for this message
Colin Watson (cjwatson) wrote :

(Sorry about the duplicate comment there.)

Changed in lasso:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.