It was discovered that lasso, a library which implements SAML 2.0 and
Liberty Alliance standards, did not properly verify that all assertions
in a SAML response were properly signed, allowing an attacker to
impersonate users or bypass access control.
For the stable distribution (buster), this problem has been fixed in
We recommend that you upgrade your lasso packages.