ALAS2-2025-3077

Amazon Linux 2 Security Advisory: ALAS2-2025-3077
Advisory Released Date: 2025-11-10
Advisory Updated Date: 2025-11-10

Severity: Critical

References: CVE-2025-46404 CVE-2025-46705 CVE-2025-46784 CVE-2025-47151
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. (CVE-2025-46404)

A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. (CVE-2025-46705)

A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. (CVE-2025-46784)

A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability. (CVE-2025-47151)

Affected Packages:

lasso

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update lasso or yum update --advisory ALAS2-2025-3077 to update your system.

New Packages:

aarch64:
    lasso-2.9.0-1.amzn2.0.1.aarch64
    lasso-devel-2.9.0-1.amzn2.0.1.aarch64
    python3-lasso-2.9.0-1.amzn2.0.1.aarch64
    lasso-debuginfo-2.9.0-1.amzn2.0.1.aarch64

i686:
    lasso-2.9.0-1.amzn2.0.1.i686
    lasso-devel-2.9.0-1.amzn2.0.1.i686
    python3-lasso-2.9.0-1.amzn2.0.1.i686
    lasso-debuginfo-2.9.0-1.amzn2.0.1.i686

src:
    lasso-2.9.0-1.amzn2.0.1.src

x86_64:
    lasso-2.9.0-1.amzn2.0.1.x86_64
    lasso-devel-2.9.0-1.amzn2.0.1.x86_64
    python3-lasso-2.9.0-1.amzn2.0.1.x86_64
    lasso-debuginfo-2.9.0-1.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-46404, CVE-2025-46705, CVE-2025-46784, CVE-2025-47151

Mitre: CVE-2025-46404, CVE-2025-46705, CVE-2025-46784, CVE-2025-47151