Ubuntu
lasso package

[SRU] liblasso3 on Bionic fails to process the ECP authn response

Bug #1897117 reported by Ionut-Madalin Balutoiu
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lasso (Ubuntu)
Fix Released
High
Unassigned
Focal
Fix Released
High
Unassigned
Groovy
Fix Released
High
Unassigned

Bug Description

[Impact]

 * liblasso3 fails when processing an ECP authn response

 * ECP authn responses are required to make Keystone <-> Keystone federation work

[Test Case]

Follow setup guide at
https://github.com/ionutbalutoiu/juju-keystone-federation to validate that the Keystone <-> Keystone federattion works after this update.

[Regression Potential]

Minimal. There are very few other packages that depend on it, and the change is trivial. There are fixes in handling SAML responses in which only the assertions are signed, in addition to a couple of fixes around handling assertion hints unexpectedly aborting.

-------------------------------------------------------------------

The liblasso3 package (dependency of libapache2-mod-auth-mellon) fails when processing a ECP authn response.

Error message given by the Apache2 Mellon auth module:
[auth_mellon:error] Error processing ECP authn response. Lasso error: [101] Signature element not found.

This issue can be reproduced into an OpenStack environment with Keystone to Keystone federation, using Apache2 Mellon module for the SP (service provider).

I managed to reproduce this on:
* Ubuntu 18.04 (Bionic) with liblasso3 2.5.1-0ubuntu1.1
* Ubuntu 20.04 (Focal) with liblasso3 2.6.0-7ubuntu1

This was fixed in the upstream Lasso project (https://dev.entrouvert.org/issues/26828), and it is shipped with versions 2.6.1 or newer.

I tested liblasso3 2.6.1 on both Bionic and Focal and it fixes the problem.

See original description
Corey Bryant (corey.bryant)
Changed in lasso (Ubuntu Groovy):
status: New → Triaged
importance: Undecided → High
Changed in lasso (Ubuntu Focal):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Thanks to Chris Macnaughton who has provided debdiffs for this for groovy and focal. New package versions are now uploaded to groovy and the focal unapproved queue.

Chris, can you add the required SRU fields and subscribe ubuntu-sru when done?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.6.0-7ubuntu2

---------------
lasso (2.6.0-7ubuntu2) groovy; urgency=medium

  * d/p/Fix-ECP-signature-not-found-error-when-only-assertion.patch:
    Cherry-picked from upstream bugfix for handling authn responses correctly
    (LP: #1897117).

 -- Chris MacNaughton <email address hidden> Fri, 25 Sep 2020 14:29:11 +0000

Changed in lasso (Ubuntu Groovy):
status: Triaged → Fix Released
Chris MacNaughton (chris.macnaughton)
description: updated
summary: - liblasso3 on Bionic fails to process the ECP authn response
+ [SRU] liblasso3 on Bionic fails to process the ECP authn response
Revision history for this message
Brian Murray (brian-murray) wrote :

Setting this Incomplete while we wait for a test case.

Changed in lasso (Ubuntu Focal):
status: Triaged → Incomplete
Chris MacNaughton (chris.macnaughton)
description: updated
Changed in lasso (Ubuntu Focal):
status: Incomplete → New
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Ionut-Madalin, or anyone else affected,

Accepted lasso into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lasso/2.6.0-7ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in lasso (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Ionut-Madalin Balutoiu (ionutbalutoiu) wrote :

Hello Brian,

I've tested `liblasso3/focal-proposed 2.6.0-7ubuntu1.1 amd64` with an environment as documented at https://github.com/ionutbalutoiu/juju-keystone-federation.

Everything worked fine and the -proposed liblasso3 package fixes the current issue. I updated the tag `verification-needed-focal` to `verification-done-focal`.

tags: added: verification-done-focal
removed: verification-needed-focal
Chris MacNaughton (chris.macnaughton)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lasso - 2.6.0-7ubuntu1.1

---------------
lasso (2.6.0-7ubuntu1.1) focal; urgency=medium

  * d/p/Fix-ECP-signature-not-found-error-when-only-assertion.patch:
    Cherry-picked from upstream bugfix for handling authn responses correctly
    (LP: #1897117).

 -- Chris MacNaughton <email address hidden> Fri, 25 Sep 2020 14:29:11 +0000

Changed in lasso (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for lasso has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.