1. Ubuntu Security Notices
  2. USN-4974-1

USN-4974-1: Lasso vulnerability

Publication date

2 June 2021

Overview

Applications using Lasso could be made to allow unintended access.

Releases

Packages

  • lasso - Liberty Alliance and SAML protocol Library

Details

It was discovered that Lasso did not properly verify that all
assertions in a SAML response were properly signed. An attacker
could possibly use this to impersonate users or otherwise bypass
access controls.

It was discovered that Lasso did not properly verify that all
assertions in a SAML response were properly signed. An attacker
could possibly use this to impersonate users or otherwise bypass
access controls.

Update instructions

After a standard system update you need to restart applications that use Lasso to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
21.04 hirsute liblasso-perl –  2.6.1-2ubuntu0.1
liblasso3 –  2.6.1-2ubuntu0.1
python3-lasso –  2.6.1-2ubuntu0.1
20.10 groovy liblasso-perl –  2.6.0-7ubuntu2.1
liblasso3 –  2.6.0-7ubuntu2.1
python3-lasso –  2.6.0-7ubuntu2.1
20.04 focal liblasso-perl –  2.6.0-7ubuntu1.2
liblasso3 –  2.6.0-7ubuntu1.2
python3-lasso –  2.6.0-7ubuntu1.2
18.04 bionic liblasso-perl –  2.5.1-0ubuntu1.2
liblasso3 –  2.5.1-0ubuntu1.2
python-lasso –  2.5.1-0ubuntu1.2
python3-lasso –  2.5.1-0ubuntu1.2

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›