Red Hat Product Errata RHSA-2021:2989 - Security Advisory
Issued:
2021-08-02
Updated:
2021-08-02

RHSA-2021:2989 - Security Advisory

Synopsis

Important: lasso security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for lasso is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages.

Security Fix(es):

  • lasso: XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

  • BZ - 1940089 - CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses

Red Hat Enterprise Linux Server 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
x86_64
lasso-2.5.1-8.el7_9.i686.rpm SHA-256: 2cba61b661bdf6cfed13a12684eef1fb15c8a2d8c4153916054ac19a9c8b09a5
lasso-2.5.1-8.el7_9.x86_64.rpm SHA-256: fd08ff65625994059674891d77de47fa4f10df6288e893d5c27646fdb5bb9d88
lasso-debuginfo-2.5.1-8.el7_9.i686.rpm SHA-256: e8383c290af887cb70615467559936c51f1665460a9618bfa465e8eeba4908fe
lasso-debuginfo-2.5.1-8.el7_9.i686.rpm SHA-256: e8383c290af887cb70615467559936c51f1665460a9618bfa465e8eeba4908fe
lasso-debuginfo-2.5.1-8.el7_9.x86_64.rpm SHA-256: 4a46ea7c5bc590aeef5c6922e6d6a5e7e268ef42646fa613743c1e261d7aa7b6
lasso-debuginfo-2.5.1-8.el7_9.x86_64.rpm SHA-256: 4a46ea7c5bc590aeef5c6922e6d6a5e7e268ef42646fa613743c1e261d7aa7b6
lasso-devel-2.5.1-8.el7_9.i686.rpm SHA-256: 9f822b129bf3ed173120d00973cce054413f3d3da5bc7b4f59283006f83beb6b
lasso-devel-2.5.1-8.el7_9.x86_64.rpm SHA-256: bdacedebb0661d9cafab0493a384c2cd256a36bd21e0949f41e25a9780be19f6
lasso-python-2.5.1-8.el7_9.x86_64.rpm SHA-256: 92906133338d2ef7286a957aad4f8e1e96711a769c267d27a311f810715073dd

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
x86_64
lasso-2.5.1-8.el7_9.i686.rpm SHA-256: 2cba61b661bdf6cfed13a12684eef1fb15c8a2d8c4153916054ac19a9c8b09a5
lasso-2.5.1-8.el7_9.x86_64.rpm SHA-256: fd08ff65625994059674891d77de47fa4f10df6288e893d5c27646fdb5bb9d88
lasso-debuginfo-2.5.1-8.el7_9.i686.rpm SHA-256: e8383c290af887cb70615467559936c51f1665460a9618bfa465e8eeba4908fe
lasso-debuginfo-2.5.1-8.el7_9.i686.rpm SHA-256: e8383c290af887cb70615467559936c51f1665460a9618bfa465e8eeba4908fe
lasso-debuginfo-2.5.1-8.el7_9.x86_64.rpm SHA-256: 4a46ea7c5bc590aeef5c6922e6d6a5e7e268ef42646fa613743c1e261d7aa7b6
lasso-debuginfo-2.5.1-8.el7_9.x86_64.rpm SHA-256: 4a46ea7c5bc590aeef5c6922e6d6a5e7e268ef42646fa613743c1e261d7aa7b6
lasso-devel-2.5.1-8.el7_9.i686.rpm SHA-256: 9f822b129bf3ed173120d00973cce054413f3d3da5bc7b4f59283006f83beb6b
lasso-devel-2.5.1-8.el7_9.x86_64.rpm SHA-256: bdacedebb0661d9cafab0493a384c2cd256a36bd21e0949f41e25a9780be19f6
lasso-python-2.5.1-8.el7_9.x86_64.rpm SHA-256: 92906133338d2ef7286a957aad4f8e1e96711a769c267d27a311f810715073dd

Red Hat Enterprise Linux Workstation 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
x86_64
lasso-2.5.1-8.el7_9.i686.rpm SHA-256: 2cba61b661bdf6cfed13a12684eef1fb15c8a2d8c4153916054ac19a9c8b09a5
lasso-2.5.1-8.el7_9.x86_64.rpm SHA-256: fd08ff65625994059674891d77de47fa4f10df6288e893d5c27646fdb5bb9d88
lasso-debuginfo-2.5.1-8.el7_9.i686.rpm SHA-256: e8383c290af887cb70615467559936c51f1665460a9618bfa465e8eeba4908fe
lasso-debuginfo-2.5.1-8.el7_9.i686.rpm SHA-256: e8383c290af887cb70615467559936c51f1665460a9618bfa465e8eeba4908fe
lasso-debuginfo-2.5.1-8.el7_9.x86_64.rpm SHA-256: 4a46ea7c5bc590aeef5c6922e6d6a5e7e268ef42646fa613743c1e261d7aa7b6
lasso-debuginfo-2.5.1-8.el7_9.x86_64.rpm SHA-256: 4a46ea7c5bc590aeef5c6922e6d6a5e7e268ef42646fa613743c1e261d7aa7b6
lasso-devel-2.5.1-8.el7_9.i686.rpm SHA-256: 9f822b129bf3ed173120d00973cce054413f3d3da5bc7b4f59283006f83beb6b
lasso-devel-2.5.1-8.el7_9.x86_64.rpm SHA-256: bdacedebb0661d9cafab0493a384c2cd256a36bd21e0949f41e25a9780be19f6
lasso-python-2.5.1-8.el7_9.x86_64.rpm SHA-256: 92906133338d2ef7286a957aad4f8e1e96711a769c267d27a311f810715073dd

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
s390x
lasso-2.5.1-8.el7_9.s390.rpm SHA-256: a092b8d3365dfcc5267fdc1a7c130202283f378f1feb8dd067b126e6c10d87e1
lasso-2.5.1-8.el7_9.s390x.rpm SHA-256: f25ae896987c276bc2802c4e5e4bacf2dc6b9c69826989545ec60369abce7638
lasso-debuginfo-2.5.1-8.el7_9.s390.rpm SHA-256: 8d5f00b8694fcdf62af99103123c45ccaf38e079e9161aeb386b9f01e7d63a24
lasso-debuginfo-2.5.1-8.el7_9.s390.rpm SHA-256: 8d5f00b8694fcdf62af99103123c45ccaf38e079e9161aeb386b9f01e7d63a24
lasso-debuginfo-2.5.1-8.el7_9.s390x.rpm SHA-256: 465135ce5812753b5bea59e90bfd642ffdbed53880a6cf76d9290428f2711aef
lasso-debuginfo-2.5.1-8.el7_9.s390x.rpm SHA-256: 465135ce5812753b5bea59e90bfd642ffdbed53880a6cf76d9290428f2711aef
lasso-devel-2.5.1-8.el7_9.s390.rpm SHA-256: 0d1e628e3146f0d823d5dfc4b7cf633d6c64f0da94e6ad7d7357b0ba4be134ca
lasso-devel-2.5.1-8.el7_9.s390x.rpm SHA-256: 8f82c8e4aff4352b911a9aaab87793ec2050233a8f900666f4f2f35b834470b1
lasso-python-2.5.1-8.el7_9.s390x.rpm SHA-256: bc3fd179ab3036905628aa1e4b583d89ddd3320ecdf0f2bd5734b757c1b8dbed

Red Hat Enterprise Linux for Power, big endian 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
ppc64
lasso-2.5.1-8.el7_9.ppc.rpm SHA-256: ee0bfc7552a271cfecfbfdaf9b1fc46b727a40c2c6671e7cdaa3377d62ee740e
lasso-2.5.1-8.el7_9.ppc64.rpm SHA-256: 65a247a6e7b7719d9b2c284b074fd32efd063e3227359a0ddcc803932461287b
lasso-debuginfo-2.5.1-8.el7_9.ppc.rpm SHA-256: 8d26b47f8af1200f89c7e22fc4b87b7d5435d88b178bead2e2b30291ecb1e02e
lasso-debuginfo-2.5.1-8.el7_9.ppc.rpm SHA-256: 8d26b47f8af1200f89c7e22fc4b87b7d5435d88b178bead2e2b30291ecb1e02e
lasso-debuginfo-2.5.1-8.el7_9.ppc64.rpm SHA-256: 1c2027d5fb8415428d3f170a979c62c152dba69816724e6eedb293ecee5ce2a5
lasso-debuginfo-2.5.1-8.el7_9.ppc64.rpm SHA-256: 1c2027d5fb8415428d3f170a979c62c152dba69816724e6eedb293ecee5ce2a5
lasso-devel-2.5.1-8.el7_9.ppc.rpm SHA-256: 9b7205790b35b73582dfd0b1136f52fe71ecf1223a29ee6aa299c149df1b308c
lasso-devel-2.5.1-8.el7_9.ppc64.rpm SHA-256: c06c1d4fe305b15fbf2a6b25cdc1e8eaf6b3f5b26e8ec78c749323ac9291dd55
lasso-python-2.5.1-8.el7_9.ppc64.rpm SHA-256: 20a12c0965853429e4af7d405c3fca2bbd69d444adfa2b522baa4b143adec90b

Red Hat Enterprise Linux for Power, little endian 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
ppc64le
lasso-2.5.1-8.el7_9.ppc64le.rpm SHA-256: 105db4246b42cdadee119e85c4f9b448f7377fc4e6357c77266b4c1e7a30db6d
lasso-debuginfo-2.5.1-8.el7_9.ppc64le.rpm SHA-256: f783eb96d4eaca5be8f5f0b1a068230157c412af93414a944b4fa1819a383a8b
lasso-debuginfo-2.5.1-8.el7_9.ppc64le.rpm SHA-256: f783eb96d4eaca5be8f5f0b1a068230157c412af93414a944b4fa1819a383a8b
lasso-devel-2.5.1-8.el7_9.ppc64le.rpm SHA-256: 357a096fcc8dd9250bb3fea36f0b23e528823afc193a26245fea5165bf1a5504
lasso-python-2.5.1-8.el7_9.ppc64le.rpm SHA-256: f6e3ed849be1c6d845639a1bc009fc30e37d139b34cb600b517871be9c18faf4

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
s390x
lasso-2.5.1-8.el7_9.s390.rpm SHA-256: a092b8d3365dfcc5267fdc1a7c130202283f378f1feb8dd067b126e6c10d87e1
lasso-2.5.1-8.el7_9.s390x.rpm SHA-256: f25ae896987c276bc2802c4e5e4bacf2dc6b9c69826989545ec60369abce7638
lasso-debuginfo-2.5.1-8.el7_9.s390.rpm SHA-256: 8d5f00b8694fcdf62af99103123c45ccaf38e079e9161aeb386b9f01e7d63a24
lasso-debuginfo-2.5.1-8.el7_9.s390.rpm SHA-256: 8d5f00b8694fcdf62af99103123c45ccaf38e079e9161aeb386b9f01e7d63a24
lasso-debuginfo-2.5.1-8.el7_9.s390x.rpm SHA-256: 465135ce5812753b5bea59e90bfd642ffdbed53880a6cf76d9290428f2711aef
lasso-debuginfo-2.5.1-8.el7_9.s390x.rpm SHA-256: 465135ce5812753b5bea59e90bfd642ffdbed53880a6cf76d9290428f2711aef
lasso-devel-2.5.1-8.el7_9.s390.rpm SHA-256: 0d1e628e3146f0d823d5dfc4b7cf633d6c64f0da94e6ad7d7357b0ba4be134ca
lasso-devel-2.5.1-8.el7_9.s390x.rpm SHA-256: 8f82c8e4aff4352b911a9aaab87793ec2050233a8f900666f4f2f35b834470b1
lasso-python-2.5.1-8.el7_9.s390x.rpm SHA-256: bc3fd179ab3036905628aa1e4b583d89ddd3320ecdf0f2bd5734b757c1b8dbed

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
ppc64
lasso-2.5.1-8.el7_9.ppc.rpm SHA-256: ee0bfc7552a271cfecfbfdaf9b1fc46b727a40c2c6671e7cdaa3377d62ee740e
lasso-2.5.1-8.el7_9.ppc64.rpm SHA-256: 65a247a6e7b7719d9b2c284b074fd32efd063e3227359a0ddcc803932461287b
lasso-debuginfo-2.5.1-8.el7_9.ppc.rpm SHA-256: 8d26b47f8af1200f89c7e22fc4b87b7d5435d88b178bead2e2b30291ecb1e02e
lasso-debuginfo-2.5.1-8.el7_9.ppc.rpm SHA-256: 8d26b47f8af1200f89c7e22fc4b87b7d5435d88b178bead2e2b30291ecb1e02e
lasso-debuginfo-2.5.1-8.el7_9.ppc64.rpm SHA-256: 1c2027d5fb8415428d3f170a979c62c152dba69816724e6eedb293ecee5ce2a5
lasso-debuginfo-2.5.1-8.el7_9.ppc64.rpm SHA-256: 1c2027d5fb8415428d3f170a979c62c152dba69816724e6eedb293ecee5ce2a5
lasso-devel-2.5.1-8.el7_9.ppc.rpm SHA-256: 9b7205790b35b73582dfd0b1136f52fe71ecf1223a29ee6aa299c149df1b308c
lasso-devel-2.5.1-8.el7_9.ppc64.rpm SHA-256: c06c1d4fe305b15fbf2a6b25cdc1e8eaf6b3f5b26e8ec78c749323ac9291dd55
lasso-python-2.5.1-8.el7_9.ppc64.rpm SHA-256: 20a12c0965853429e4af7d405c3fca2bbd69d444adfa2b522baa4b143adec90b

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
lasso-2.5.1-8.el7_9.src.rpm SHA-256: 83713085dc8647c1c107c534d49107d801be5158353c98c5e42946f3992c12c5
ppc64le
lasso-2.5.1-8.el7_9.ppc64le.rpm SHA-256: 105db4246b42cdadee119e85c4f9b448f7377fc4e6357c77266b4c1e7a30db6d
lasso-debuginfo-2.5.1-8.el7_9.ppc64le.rpm SHA-256: f783eb96d4eaca5be8f5f0b1a068230157c412af93414a944b4fa1819a383a8b
lasso-debuginfo-2.5.1-8.el7_9.ppc64le.rpm SHA-256: f783eb96d4eaca5be8f5f0b1a068230157c412af93414a944b4fa1819a383a8b
lasso-devel-2.5.1-8.el7_9.ppc64le.rpm SHA-256: 357a096fcc8dd9250bb3fea36f0b23e528823afc193a26245fea5165bf1a5504
lasso-python-2.5.1-8.el7_9.ppc64le.rpm SHA-256: f6e3ed849be1c6d845639a1bc009fc30e37d139b34cb600b517871be9c18faf4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.