Amazon Linux 2 Security Advisory: ALAS-2021-1660
Advisory Release Date: 2021-06-16 20:37 Pacific
Advisory Updated Date: 2021-06-22 22:22 Pacific
Severity:
Important
Issue Overview:
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability. (CVE-2021-28091)
Affected Packages:
lasso
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update lasso to update your system.
New Packages:
aarch64:
lasso-2.5.1-5.amzn2.0.1.aarch64
lasso-devel-2.5.1-5.amzn2.0.1.aarch64
lasso-python-2.5.1-5.amzn2.0.1.aarch64
lasso-debuginfo-2.5.1-5.amzn2.0.1.aarch64
i686:
lasso-2.5.1-5.amzn2.0.1.i686
lasso-devel-2.5.1-5.amzn2.0.1.i686
lasso-python-2.5.1-5.amzn2.0.1.i686
lasso-debuginfo-2.5.1-5.amzn2.0.1.i686
src:
lasso-2.5.1-5.amzn2.0.1.src
x86_64:
lasso-2.5.1-5.amzn2.0.1.x86_64
lasso-devel-2.5.1-5.amzn2.0.1.x86_64
lasso-python-2.5.1-5.amzn2.0.1.x86_64
lasso-debuginfo-2.5.1-5.amzn2.0.1.x86_64