Security update for lasso SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4090-1 Final 1 1 2025-11-13T13:02:47Z current 2025-11-13T13:02:47Z 2025-11-13T13:02:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lasso This update for lasso fixes the following issues: - CVE-2025-46784: Fixed memory exhaustion in Entr'ouvert Lasso (bsc#1253094) - CVE-2025-46404: Fixed denial of service in Entr'ouvert Lasso (bsc#1253092) - CVE-2025-46705: Fixed denial of service in Entr'ouvert Lasso (bsc#1253093) - CVE-2025-47151: Fixed type confusion vulnerability in the lasso_node_impl_init_from_xml functionality (bsc#1253095) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4090,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-4090,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4090,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4090,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-4090,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-4090,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-4090,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4090,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-4090,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-4090,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4090,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-4090,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-LTS-2025-4090,SUSE-SLE-Product-SUSE-Manager-Server-4.3-LTS-2025-4090,SUSE-Storage-7.1-2025-4090 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254090-1/ Link for SUSE-SU-2025:4090-1 https://lists.suse.com/pipermail/sle-security-updates/2025-November/023277.html E-Mail link for SUSE-SU-2025:4090-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1253092 SUSE Bug 1253092 https://bugzilla.suse.com/1253093 SUSE Bug 1253093 https://bugzilla.suse.com/1253094 SUSE Bug 1253094 https://bugzilla.suse.com/1253095 SUSE Bug 1253095 https://www.suse.com/security/cve/CVE-2025-46404/ SUSE CVE CVE-2025-46404 page https://www.suse.com/security/cve/CVE-2025-46705/ SUSE CVE CVE-2025-46705 page https://www.suse.com/security/cve/CVE-2025-46784/ SUSE CVE CVE-2025-46784 page https://www.suse.com/security/cve/CVE-2025-47151/ SUSE CVE CVE-2025-47151 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Manager Proxy LTS 4.3 SUSE Manager Server LTS 4.3 liblasso-devel-2.6.1-150200.24.1 liblasso3-2.6.1-150200.24.1 python3-lasso-2.6.1-150200.24.1 liblasso-devel-2.6.1-150200.24.1 as a component of SUSE Enterprise Storage 7.1 liblasso3-2.6.1-150200.24.1 as a component of SUSE Enterprise Storage 7.1 python3-lasso-2.6.1-150200.24.1 as a component of SUSE Enterprise Storage 7.1 liblasso-devel-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS python3-lasso-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS liblasso-devel-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS python3-lasso-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS liblasso-devel-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 python3-lasso-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 liblasso3-2.6.1-150200.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 liblasso3-2.6.1-150200.24.1 as a component of SUSE Manager Proxy LTS 4.3 liblasso3-2.6.1-150200.24.1 as a component of SUSE Manager Server LTS 4.3 A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-46404 SUSE Enterprise Storage 7.1:liblasso-devel-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:liblasso3-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:liblasso3-2.6.1-150200.24.1 SUSE Manager Proxy LTS 4.3:liblasso3-2.6.1-150200.24.1 SUSE Manager Server LTS 4.3:liblasso3-2.6.1-150200.24.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254090-1/ https://www.suse.com/security/cve/CVE-2025-46404.html CVE-2025-46404 https://bugzilla.suse.com/1253092 SUSE Bug 1253092 A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-46705 SUSE Enterprise Storage 7.1:liblasso-devel-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:liblasso3-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:liblasso3-2.6.1-150200.24.1 SUSE Manager Proxy LTS 4.3:liblasso3-2.6.1-150200.24.1 SUSE Manager Server LTS 4.3:liblasso3-2.6.1-150200.24.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254090-1/ https://www.suse.com/security/cve/CVE-2025-46705.html CVE-2025-46705 https://bugzilla.suse.com/1253093 SUSE Bug 1253093 A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-46784 SUSE Enterprise Storage 7.1:liblasso-devel-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:liblasso3-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:liblasso3-2.6.1-150200.24.1 SUSE Manager Proxy LTS 4.3:liblasso3-2.6.1-150200.24.1 SUSE Manager Server LTS 4.3:liblasso3-2.6.1-150200.24.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254090-1/ https://www.suse.com/security/cve/CVE-2025-46784.html CVE-2025-46784 https://bugzilla.suse.com/1253094 SUSE Bug 1253094 A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-47151 SUSE Enterprise Storage 7.1:liblasso-devel-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:liblasso3-2.6.1-150200.24.1 SUSE Enterprise Storage 7.1:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP4-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server 15 SP5-LTSS:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso-devel-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:python3-lasso-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:liblasso3-2.6.1-150200.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:liblasso3-2.6.1-150200.24.1 SUSE Manager Proxy LTS 4.3:liblasso3-2.6.1-150200.24.1 SUSE Manager Server LTS 4.3:liblasso3-2.6.1-150200.24.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254090-1/ https://www.suse.com/security/cve/CVE-2025-47151.html CVE-2025-47151 https://bugzilla.suse.com/1253095 SUSE Bug 1253095