FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

lasso -- signature checking failure

Affected packages
lasso < 2.7.0

Details

VuXML ID 417de1e6-c31b-11eb-9633-b42e99a1b9c3
Discovery 2021-06-01
Entry 2021-06-01

entrouvert reports:

When AuthnResponse messages are not signed (which is permitted by the specifiation), all assertion's signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one is considered the main assertion.

References

CVE Name CVE-2021-28091
URL https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0