Security update for lasso SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025-20083-1 Final 1 1 2025-11-25T13:27:21Z current 2025-11-25T13:27:21Z 2025-11-25T13:27:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lasso This update for lasso fixes the following issues: - CVE-2025-46404: specially crafted SAML response can lead to a denial of service (bsc#1253092). - CVE-2025-46705: specially crafted SAML assertion response can lead to a denial of service (bsc#1253093). - CVE-2025-47151: type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality can lead to an arbitrary code execution (bsc#1253095). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-52 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1253092 SUSE Bug 1253092 https://bugzilla.suse.com/1253093 SUSE Bug 1253093 https://bugzilla.suse.com/1253095 SUSE Bug 1253095 https://www.suse.com/security/cve/CVE-2025-46404/ SUSE CVE CVE-2025-46404 page https://www.suse.com/security/cve/CVE-2025-46705/ SUSE CVE CVE-2025-46705 page https://www.suse.com/security/cve/CVE-2025-47151/ SUSE CVE CVE-2025-47151 page openSUSE Leap 16.0 liblasso-devel-2.8.2-160000.3.1 liblasso3-2.8.2-160000.3.1 python3-lasso-2.8.2-160000.3.1 liblasso-devel-2.8.2-160000.3.1 as a component of openSUSE Leap 16.0 liblasso3-2.8.2-160000.3.1 as a component of openSUSE Leap 16.0 python3-lasso-2.8.2-160000.3.1 as a component of openSUSE Leap 16.0 A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-46404 openSUSE Leap 16.0:liblasso-devel-2.8.2-160000.3.1 openSUSE Leap 16.0:liblasso3-2.8.2-160000.3.1 openSUSE Leap 16.0:python3-lasso-2.8.2-160000.3.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-46404.html CVE-2025-46404 https://bugzilla.suse.com/1253092 SUSE Bug 1253092 A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-46705 openSUSE Leap 16.0:liblasso-devel-2.8.2-160000.3.1 openSUSE Leap 16.0:liblasso3-2.8.2-160000.3.1 openSUSE Leap 16.0:python3-lasso-2.8.2-160000.3.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-46705.html CVE-2025-46705 https://bugzilla.suse.com/1253093 SUSE Bug 1253093 A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-47151 openSUSE Leap 16.0:liblasso-devel-2.8.2-160000.3.1 openSUSE Leap 16.0:liblasso3-2.8.2-160000.3.1 openSUSE Leap 16.0:python3-lasso-2.8.2-160000.3.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47151.html CVE-2025-47151 https://bugzilla.suse.com/1253095 SUSE Bug 1253095