Discussion:
Bug#1087200: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
(too old to reply)
Yadd
2024-11-09 15:00:01 UTC
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap-***@packages.debian.org, ***@debian.org
Control: affects -1 + src:lemonldap-ng
User: ***@packages.debian.org
Usertags: pu

[ Reason ]
lemonldap-ng is a Web-SSO. In Bookworm, it is vulnerable to:
- XSS issue into the "Upgrade" plugin that allow user to upgrade their
authentication level into current session (example, use a SSL card
instead of login/password)
- Escalation privilege when "Adaptative auth level" is used: user can
apply the benefit more than one time using the "refresh- session"
mechanism

[ Impact ]
Medium seciruty issues.

[ Tests ]
Test updated, passed

[ Risks ]
Low risk: patch is trivial

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
- don't apply adaptative rules when session is refreshed
- apply the "chackXSS" method on "Upgrade" plugin URLs

[ Other info ]
These 2 issues will have a CVE number soon

Best regards,
Xavier
Debian Bug Tracking System
2024-11-09 15:00:01 UTC
Permalink
Post by Yadd
affects -1 + src:lemonldap-ng
Bug #1087200 [release.debian.org] bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
Added indication that 1087200 affects src:lemonldap-ng
--
1087200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087200
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-11-15 16:20:01 UTC
Permalink
Control: tag -1 confirmed

Please go ahead, adding references to bugs/CVEs if they have become
available in the meantime.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Debian Bug Tracking System
2024-11-15 16:20:01 UTC
Permalink
Post by Jonathan Wiltshire
tag -1 confirmed
Bug #1087200 [release.debian.org] bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
Added tag(s) confirmed.
--
1087200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087200
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2024-11-20 08:40:01 UTC
Permalink
Hi,
Post by Yadd
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:lemonldap-ng
Usertags: pu
[ Reason ]
- XSS issue into the "Upgrade" plugin that allow user to upgrade their
authentication level into current session (example, use a SSL card
instead of login/password)
- Escalation privilege when "Adaptative auth level" is used: user can
apply the benefit more than one time using the "refresh- session"
mechanism
[ Impact ]
Medium seciruty issues.
[ Tests ]
Test updated, passed
[ Risks ]
Low risk: patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- don't apply adaptative rules when session is refreshed
- apply the "chackXSS" method on "Upgrade" plugin URLs
[ Other info ]
These 2 issues will have a CVE number soon
FTR/context, those are CVE-2024-52946 and CVE-2024-52947.

Regards,
Salvatore
Jonathan Wiltshire
2024-11-21 17:40:01 UTC
Permalink
package release.debian.org
tags 1087200 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: lemonldap-ng
Version: 2.16.1+ds-deb12u4

Explanation: fix privilege escalation when adaptive auth levels used [CVE-2024-52946]; fix XSS in upgrade plugin [CVE-2024-52947]
Debian Bug Tracking System
2025-01-11 11:20:07 UTC
Permalink
Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <E1tWZGn-009jYy-***@coccia.debian.org>
and subject line Close 1087200
has caused the Debian Bug report #1087200,
regarding bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1087200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087200
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...