An update for lasso is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2662 Final 1.0 1.0 2025-11-14 Initial 2025-11-14 2025-11-14 openEuler SA Tool V1.0 2025-11-14 lasso security update An update for lasso is now available for openEuler-22.03-LTS-SP4 The package is a implements the Liberty Alliance Single Sign On standards library, includeing the SAML2 and SAML specifications. it provides bindings for multiple languages.and allows to handle the whole life-cycle of SAML based Federations. Security Fix(es): A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46404) A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46705) A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-46784) A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.(CVE-2025-47151) An update for lasso is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical lasso https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2662 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-46404 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-46705 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-46784 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-47151 https://nvd.nist.gov/vuln/detail/CVE-2025-46404 https://nvd.nist.gov/vuln/detail/CVE-2025-46705 https://nvd.nist.gov/vuln/detail/CVE-2025-46784 https://nvd.nist.gov/vuln/detail/CVE-2025-47151 openEuler-22.03-LTS-SP4 java-lasso-2.7.0-2.oe2203sp4.aarch64.rpm lasso-2.7.0-2.oe2203sp4.aarch64.rpm lasso-debuginfo-2.7.0-2.oe2203sp4.aarch64.rpm lasso-debugsource-2.7.0-2.oe2203sp4.aarch64.rpm lasso-devel-2.7.0-2.oe2203sp4.aarch64.rpm lasso-help-2.7.0-2.oe2203sp4.aarch64.rpm perl-lasso-2.7.0-2.oe2203sp4.aarch64.rpm python3-lasso-2.7.0-2.oe2203sp4.aarch64.rpm java-lasso-2.7.0-2.oe2203sp4.x86_64.rpm lasso-2.7.0-2.oe2203sp4.x86_64.rpm lasso-debuginfo-2.7.0-2.oe2203sp4.x86_64.rpm lasso-debugsource-2.7.0-2.oe2203sp4.x86_64.rpm lasso-devel-2.7.0-2.oe2203sp4.x86_64.rpm lasso-help-2.7.0-2.oe2203sp4.x86_64.rpm perl-lasso-2.7.0-2.oe2203sp4.x86_64.rpm python3-lasso-2.7.0-2.oe2203sp4.x86_64.rpm lasso-2.7.0-2.oe2203sp4.src.rpm A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. 2025-11-14 CVE-2025-46404 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H lasso security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2662 A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. 2025-11-14 CVE-2025-46705 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H lasso security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2662 A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. 2025-11-14 CVE-2025-46784 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H lasso security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2662 A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability. 2025-11-14 CVE-2025-47151 openEuler-22.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H lasso security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2662