PublicDateAtUSN: 2021-06-01 12:00:00 UTC
Candidate: CVE-2021-28091
CRD: 2021-06-01 12:00:00 UTC
PublicDate: 2021-06-04 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28091
 https://git.entrouvert.org/lasso.git/commit/?id=ea7e5efe9741e1b1787a58af16cb15b40c23be5a
 https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
 https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
 https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
 https://ubuntu.com/security/notices/USN-4974-1
Description:
 Lasso all versions prior to 2.7.0 has improper verification of a
 cryptographic signature.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: amurray
CVSS:
 akamai: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_lasso:
 upstream: https://git.entrouvert.org/lasso.git/commit/?id=ea7e5efe9741e1b1787a58af16cb15b40c23be5a
upstream_lasso: needs-triage
precise/esm_lasso: DNE
trusty_lasso: ignored (out of standard support)
trusty/esm_lasso: DNE
xenial_lasso: ignored (end of standard support, was needed)
bionic_lasso: released (2.5.1-0ubuntu1.2)
focal_lasso: released (2.6.0-7ubuntu1.2)
groovy_lasso: released (2.6.0-7ubuntu2.1)
hirsute_lasso: released (2.6.1-2ubuntu0.1)
impish_lasso: not-affected (2.6.1-3)
jammy_lasso: not-affected (2.6.1-3)
devel_lasso: not-affected (2.6.1-3)