{"id":"OESA-2025-2666","summary":"lasso security update","details":"The package is a implements the Liberty Alliance Single Sign On standards library, includeing the SAML2 and SAML specifications. it provides bindings for multiple languages.and allows to handle the whole life-cycle of SAML based Federations.\r\n\r\nSecurity Fix(es):\n\nA denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46404)\n\nA denial of service vulnerability exists in the g_assert_not_reached functionality of Entr ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46705)\n\nA denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46784)\n\nA type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-47151)","modified":"2025-11-14T13:02:48.684716Z","published":"2025-11-14T12:38:55Z","upstream":["CVE-2025-46404","CVE-2025-46705","CVE-2025-46784","CVE-2025-47151"],"database_specific":{"severity":"Critical"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2666"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46404"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46705"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46784"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47151"}],"affected":[{"package":{"name":"lasso","ecosystem":"openEuler:22.03-LTS-SP3","purl":"pkg:rpm/openEuler/lasso&distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.0-2.oe2203sp3"}]}],"ecosystem_specific":{"src":["lasso-2.7.0-2.oe2203sp3.src.rpm"],"x86_64":["java-lasso-2.7.0-2.oe2203sp3.x86_64.rpm","lasso-2.7.0-2.oe2203sp3.x86_64.rpm","lasso-debuginfo-2.7.0-2.oe2203sp3.x86_64.rpm","lasso-debugsource-2.7.0-2.oe2203sp3.x86_64.rpm","lasso-devel-2.7.0-2.oe2203sp3.x86_64.rpm","lasso-help-2.7.0-2.oe2203sp3.x86_64.rpm","perl-lasso-2.7.0-2.oe2203sp3.x86_64.rpm","python3-lasso-2.7.0-2.oe2203sp3.x86_64.rpm"],"aarch64":["java-lasso-2.7.0-2.oe2203sp3.aarch64.rpm","lasso-2.7.0-2.oe2203sp3.aarch64.rpm","lasso-debuginfo-2.7.0-2.oe2203sp3.aarch64.rpm","lasso-debugsource-2.7.0-2.oe2203sp3.aarch64.rpm","lasso-devel-2.7.0-2.oe2203sp3.aarch64.rpm","lasso-help-2.7.0-2.oe2203sp3.aarch64.rpm","perl-lasso-2.7.0-2.oe2203sp3.aarch64.rpm","python3-lasso-2.7.0-2.oe2203sp3.aarch64.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2025-2666.json"}}],"schema_version":"1.7.3"}