Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi all, Fix for CVE-2019-12046 (#928944) introduced a regression in cross-domain feature. It has been fixed by upstream and tested by Guilhem Moulin <guil...@debian.org>. The proposed debdiff includes a patch that fix this regression and fix also a little bug fixed also by upstream (do not push Access-Control-Allow-Origin on Ajax requests). Discussion on this regression is at the end of #928944 issue. Cheers, Xavier -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index a1fe37b..930945e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency=medium + + * Fix CDA regression introduced in 1.9.7-3+deb9u1 + + -- Xavier Guimard <y...@debian.org> Mon, 27 May 2019 10:35:48 +0200 + lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium * Add patch to fix token security (Closes: #928944, CVE-2019-12046) diff --git a/debian/patches/CDA-regression.patch b/debian/patches/CDA-regression.patch new file mode 100644 index 0000000..242ce9c --- /dev/null +++ b/debian/patches/CDA-regression.patch @@ -0,0 +1,62 @@ +Description: CDA regression fix + Fix for #928944 (CVE-2019-12046) introduced a regression in cross-domain + feature. This diff fix it and fix also a little issue when portal is called + using an Ajax request: it must not send Access-Control-Allow-Origin header. + (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1519) +Author: Clément Oudot <clem...@oodo.net> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1756 +Bug-Debian: https://bugs.debian.org/928944 +Forwarded: not-needed +Reviewed-By: Guilhem Moulin <guil...@debian.org> +Last-Update: 2019-05-27 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm +@@ -1049,7 +1049,7 @@ + + } + +-## @method void updateSession(hashRef infos, string id) ++## @method void updateSession(hashRef infos, string id, string kind) + # Update session stored. + # If no id is given, try to get it from cookie. + # If the session is available, update datas with $info. +@@ -1057,9 +1057,10 @@ + # server local cache, if there are several LL::NG servers. + # @param infos hash reference of information to update + # @param id Session ID ++# @param kind Session kind + # @return nothing + sub updateSession { +- my ( $self, $infos, $id ) = @_; ++ my ( $self, $infos, $id, $kind ) = @_; + + # Return if no infos to update + return () unless ( ref $infos eq 'HASH' and %$infos ); +@@ -1084,7 +1085,7 @@ + } + + # Update session in global storage +- if ( my $apacheSession = $self->getApacheSession( $id, 1 ) ) { ++ if ( my $apacheSession = $self->getApacheSession( $id, 1, undef, $kind ) ) { + + # Store updateTime + $infos->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() ); +@@ -1569,7 +1570,6 @@ + print $self->header( + -status => '401 Unauthorizated', + '-WWW-Authenticate' => "SSO $self->{portal}", +- '-Access-Control-Allow-Origin' => '*', + ); + $self->quit; + } +@@ -2744,7 +2744,7 @@ + $cdaInfos->{cookie_name} = $self->{cookieName} . "http"; + } + +- $self->updateSession( $cdaInfos, $cdaSession->id ); ++ $self->updateSession( $cdaInfos, $cdaSession->id, 'CDA' ); + + $self->{urldc} .= + ( $self->{urldc} =~ /\?/ ? '&' : '?' ) diff --git a/debian/patches/series b/debian/patches/series index b13b6df..6551f40 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ avoid-modify-sources.patch replace-mouse-by-moose.patch Avoid-developer-tests.patch CVE-2019-12046.patch +CDA-regression.patch
