Lasso has insecure cryptographic functions. The vulnerability exists due to the lack of sanitization in the mod_auth_mellon
.
listes.entrouvert.com/arc/lasso/
access.redhat.com/errata/RHSA-2021:2989
access.redhat.com/security/updates/classification/#important
blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
bugzilla.redhat.com/show_bug.cgi?id=1940089
git.entrouvert.org/lasso.git/commit/?id=076a37d7f0eb74001127481da2d355683693cde9
git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0
lists.debian.org/debian-lts-announce/2021/06/msg00013.html
lists.fedoraproject.org/archives/list/[email protected]/message/SI4YAQF4VEV2KHQ6OXXZL7CJK7IZQ3EG/
lists.fedoraproject.org/archives/list/[email protected]/message/YSVWOHBBWLI2RB5C6TXINFEJRT4YSD3D/
www.debian.org/security/2021/dsa-4926