{"schema_version":"1.7.2","id":"OESA-2025-2664","modified":"2025-11-14T12:38:51Z","published":"2025-11-14T12:38:51Z","upstream":["CVE-2025-46404","CVE-2025-46705","CVE-2025-47151"],"summary":"lasso security update","details":"The package is a implements the Liberty Alliance Single Sign On standards library, includeing the SAML2 and SAML specifications. it provides bindings for multiple languages.and allows to handle the whole life-cycle of SAML based Federations.\r\n\r\nSecurity Fix(es):\n\nA denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46404)\n\nA denial of service vulnerability exists in the g_assert_not_reached functionality of Entr ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46705)\n\nA type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-47151)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"lasso","purl":"pkg:rpm/openEuler/lasso&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.2-3.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["lasso-2.8.2-3.oe2403sp1.aarch64.rpm","lasso-debuginfo-2.8.2-3.oe2403sp1.aarch64.rpm","lasso-debugsource-2.8.2-3.oe2403sp1.aarch64.rpm","lasso-devel-2.8.2-3.oe2403sp1.aarch64.rpm","lasso-help-2.8.2-3.oe2403sp1.aarch64.rpm","perl-lasso-2.8.2-3.oe2403sp1.aarch64.rpm","python3-lasso-2.8.2-3.oe2403sp1.aarch64.rpm"],"src":["lasso-2.8.2-3.oe2403sp1.src.rpm"],"x86_64":["lasso-2.8.2-3.oe2403sp1.x86_64.rpm","lasso-debuginfo-2.8.2-3.oe2403sp1.x86_64.rpm","lasso-debugsource-2.8.2-3.oe2403sp1.x86_64.rpm","lasso-devel-2.8.2-3.oe2403sp1.x86_64.rpm","lasso-help-2.8.2-3.oe2403sp1.x86_64.rpm","perl-lasso-2.8.2-3.oe2403sp1.x86_64.rpm","python3-lasso-2.8.2-3.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2664"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46404"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46705"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47151"}],"database_specific":{"severity":"Critical"}}