pkg/59536: lasso 2.7.0 in pkgsrc-2025Q2 is broken

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/59536: lasso 2.7.0 in pkgsrc-2025Q2 is broken
From: emmanuel.dreyfus%espci.fr@localhost
Date: Mon, 21 Jul 2025 06:50:00 +0000 (UTC)

>Number:         59536
>Category:       pkg
>Synopsis:       lasso 2.7.0 in pkgsrc-2025Q2 is broken
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 21 06:50:00 +0000 2025
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD-10.0
>Organization:
>Environment:
System: NetBSD volanges 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2
024 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64

>Description:
        In pkgsrc-2025Q2, lasso 2.7.0 does not work with xmlsec1-1.2.33
        When trying SSO, httpd aborts with an assertion.
        See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024138
        for complete report and acknowledgment from upstream developper
        that a lasso upgrade is required.

>How-To-Repeat:
        upgrade ap-auth-mellon and dependencies (includes lasso and
        xmlsec1) from pkgsrc-2025Q1, restart apache, try to use it.

>Fix:
        Here is a patch to upgrade lasso to latest 2.8.2
        https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024138

        NEWS from lasso-2.7.0 included in pkgsec-2025Q2
2.8.2 - March 14th 2023
-----------------------

- Compatibility with EVP API of openssl 1.x, thanks to Maxime Besson from
  Worteks.

2.8.1 - February 28th 2023
--------------------------

- Major overhaul of OpenSSL API usage by using only the EVP API as the low
  level API (RSA*, HMAC*) is deprecated.
- Fix wrong parsing of Count attribute on saml:ProxyRestriction, thanks to
  Maxime Besson from Worteks.
- Perl: pass LDFLAGS to Makefile.PL
- Replace use of deprecated xmlSecBase64Decode by xmlSecBase64Decode_ex
- Fix overwrite of profile.signature_status in lasso_saml20_login_process_response_status_and_assertion
- Fix lot of GCC warnings

2.8.0 - March 15th 2022
-----------------------

22 commits, 585 files changed, 2448 insertions, 69478 deletions

* Removal of all win32 and ID-WSF related source code obsoleted a long time ago
* Improve choice of signature method and of allowed signature method (by Jakub
* Hrozek <jhrozek%redhat.com@localhost>), it's now possible to completely forbid SHA1 for
  example
* Change default RSA encryption padding to OAEP
* Fix: HMAC signature other than SHA1 (jhrozek%redhat.com@localhost)
* Fix: prevent multiple OneTimeUse elements

Prev by Date: PR/59541 CVS commit: pkgsrc/textproc/py-commonmark
Next by Date: pkg/59537: pcsc-lite search path misses ${PREFIX}/lib
Previous by Thread: PR/59541 CVS commit: pkgsrc/textproc/py-commonmark
Next by Thread: pkg/59537: pcsc-lite search path misses ${PREFIX}/lib
Indexes:

Home | Main Index | Thread Index | Old Index