Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, lemonldap-ng is vulnerable to several security issues. This cumulative patch fixes them: - CVE-2019-19791: bad default configuration which does not really protect SOAP/REST endpoints - When 2FA is used, the grantSession plugin does not filter successful connections - OIDC relying party restriction introduced in 2.0.0 does not work when a previous federation was granted in the same session Cheers, Xavier
diff --git a/debian/NEWS b/debian/NEWS index 454e18b..58fe7cf 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,17 @@ +lemonldap-ng (2.0.2+ds-7+deb10u3) buster-security; urgency=high + + This version fixes 3 security issues. However, you must verify 2 things: + * if you enabled SOAP/REST plugins, verify in your portal web configuration + file that they are well protected (see new default configuration files: + /etc/lemonldap-ng/portal-apache2.X.conf and + /etc/lemonldap-ng/portal-nginx.conf) + * if you enabled OpenID-Connect identity provider, your relaying parties + must have a redirection uri. You just have to save a new configuration + using the manager and automatic tests will fail if one relying party is + misconfigured + + -- Xavier Guimard <y...@debian.org> Fri, 20 Dec 2019 18:12:54 +0100 + lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium 2.0 is a major release, many things have been changed. You must read diff --git a/debian/changelog b/debian/changelog index 0c99af8..e30c7ef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium + + * Fix default configuration to prevent unwanted access to admin endpoints + (Closes: CVE-2019-19791) + * Fix the GrantSession plugin which could not prohibit logon when a 2FA was + used + * Fix for OIDC: any redirection where allowed when relaying party was + configured without redirect_uri + * Update debian/NEWS + + -- Xavier Guimard <y...@debian.org> Thu, 23 Jan 2020 22:28:01 +0100 + lemonldap-ng (2.0.2+ds-7+deb10u2) buster-security; urgency=high * Add patch to fix OIDC vulnerabilities (Closes: CVE-2019-15941) diff --git a/debian/patches/CVE-2019-19791.patch b/debian/patches/CVE-2019-19791.patch new file mode 100644 index 0000000..908e49f --- /dev/null +++ b/debian/patches/CVE-2019-19791.patch @@ -0,0 +1,219 @@ +Description: default configuration didn't really protect admin endpoint + These files are used to provide default LLNG files +Author: LLNG Authors <lemonldap-ng-...@ow2.org> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-12-20 + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm +@@ -27,9 +27,9 @@ + if ( $self->env->{X_ORIGINAL_URI} ); + $self->env->{PATH_INFO} =~ s|//+|/|g; + +- if ( my $tmp = $self->script_name ) { +- $self->env->{PATH_INFO} =~ s|^$tmp|/|; +- } ++ #if ( my $tmp = $self->script_name ) { ++ # $self->env->{PATH_INFO} =~ s|^$tmp|/|; ++ #} + $self->env->{PATH_INFO} ||= '/'; + $self->{uri} = uri_unescape( $self->env->{REQUEST_URI} ); + $self->{uri} =~ s|^//+|/|g; +--- a/_example/etc/manager-apache2.4.conf ++++ b/_example/etc/manager-apache2.4.conf +@@ -34,10 +34,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine +--- a/_example/etc/manager-apache2.X.conf ++++ b/_example/etc/manager-apache2.X.conf +@@ -28,10 +28,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine +--- a/_example/etc/manager-apache2.conf ++++ b/_example/etc/manager-apache2.conf +@@ -28,10 +28,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine +--- a/_example/etc/portal-apache2.4.conf ++++ b/_example/etc/portal-apache2.4.conf +@@ -30,8 +30,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself +--- a/_example/etc/portal-apache2.X.conf ++++ b/_example/etc/portal-apache2.X.conf +@@ -31,8 +31,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself +--- a/_example/etc/portal-apache2.conf ++++ b/_example/etc/portal-apache2.conf +@@ -26,8 +26,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself +--- a/_example/etc/portal-nginx.conf ++++ b/_example/etc/portal-nginx.conf +@@ -42,6 +42,31 @@ + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + ++ # REST/SOAP functions for sessions management (disabled by default) ++ location ~ ^/index.psgi/adminSessions { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ # REST/SOAP functions for sessions access (disabled by default) ++ location ~ ^/index.psgi/sessions { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ # REST/SOAP functions for configuration access (disabled by default) ++ location ~ ^/index.psgi/config { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ # REST/SOAP functions for notification insertion (disabled by default) ++ location ~ ^/index.psgi/notification { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ + } + + index index.psgi; +@@ -56,26 +81,6 @@ + alias __PORTALSTATICDIR__; + } + +- # REST/SOAP functions for sessions management (disabled by default) +- location /index.psgi/adminSessions { +- deny all; +- } +- +- # REST/SOAP functions for sessions access (disabled by default) +- location /index.psgi/sessions { +- deny all; +- } +- +- # REST/SOAP functions for configuration access (disabled by default) +- location /index.psgi/config { +- deny all; +- } +- +- # REST/SOAP functions for notification insertion (disabled by default) +- location /index.psgi/notification { +- deny all; +- } +- + # DEBIAN + # If install was made with USEDEBIANLIBS (official releases), uncomment this + location /javascript/ { +--- a/doc/pages/documentation/current/configlocation.html ++++ b/doc/pages/documentation/current/configlocation.html +@@ -316,8 +316,8 @@ + <span class="co1"># For performances, you can put static html files: simply put the HTML</span> + <span class="co1"># result (example: /oauth2/checksession.html) as static file. Then</span> + <span class="co1"># uncomment the following line.</span> +- <span class="co1"># RewriteCond "%{REQUEST_FILENAME}" "!\.html$"</span> +- <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi)$"</span> ++ <span class="co1"># RewriteCond "%{REQUEST_URI}" "!\.html$"</span> ++ <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi)$"</span> + <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/index.fcgi/$1"</span> [PT] + + <span class="co1"># Note that Content-Security-Policy header is generated by portal itself</span> +@@ -392,10 +392,10 @@ + <span class="co1"># (configuration, sessions, notifications) as manager.html, sessions.html,</span> + <span class="co1"># notifications.html and uncomment the 2 following lines:</span> + <span class="co1"># DirectoryIndex manager.html</span> +- <span class="co1"># RewriteCond "%{REQUEST_FILENAME}" "!\.html$"</span> ++ <span class="co1"># RewriteCond "%{REQUEST_URI}" "!\.html$"</span> + + <span class="co1"># REST URLs</span> +- <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span> ++ <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span> + <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/psgi/manager-server.fcgi/$1"</span> [PT] + + <span class="kw1">Alias</span> /psgi/ /var/lib/lemonldap-ng/manager/psgi/ +--- a/doc/pages/documentation/current/performances.html ++++ b/doc/pages/documentation/current/performances.html +@@ -424,8 +424,8 @@ + </p> + <pre class="code apache"><span class="kw1">RewriteRule</span> <span class="st0">"^/$"</span> <span class="st0">"/psgi/manager-server.fcgi"</span> [PT] + <span class="co1"># DirectoryIndex manager.html</span> +-<span class="co1"># RewriteCond "%{REQUEST_FILENAME}" "!\.html$"</span> +-<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span> ++<span class="co1"># RewriteCond "%{REQUEST_URI}" "!\.html$"</span> ++<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span> + <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/psgi/manager-server.fcgi/$1"</span> [PT]</pre> + + <p> +@@ -433,8 +433,8 @@ + </p> + <pre class="code apache"><span class="co1"># RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]</span> + <span class="kw1">DirectoryIndex</span> manager.html +-<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!<span class="es0">\.</span>html$"</span> +-<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span> ++<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!<span class="es0">\.</span>html$"</span> ++<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span> + <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/psgi/manager-server.fcgi/$1"</span> [PT]</pre> + + <p> diff --git a/debian/patches/grantsession-with-2fa.patch b/debian/patches/grantsession-with-2fa.patch new file mode 100644 index 0000000..ac8b93f --- /dev/null +++ b/debian/patches/grantsession-with-2fa.patch @@ -0,0 +1,26 @@ +Description: grantSession cannot prevent session establishment when 2FA is in use +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/3ee708d +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1965 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-12-20 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm +@@ -97,7 +97,6 @@ + $req->id( delete $req->sessionInfo->{_2fRealSession} ); + $req->urldc( delete $req->sessionInfo->{_2fUrldc} ); + $req->{sessionInfo}->{_utime} = delete $req->{sessionInfo}->{_2fUtime}; +- $self->p->rebuildCookies($req); + $req->mustRedirect(1); + $self->userLogger->notice( $self->prefix + . '2F verification for ' +@@ -112,6 +111,7 @@ + [ + @{ $self->p->afterData }, + $self->p->validSession, ++ 'rebuildCookies', + @{ $self->p->endAuth }, + sub { PE_OK } + ] diff --git a/debian/patches/oidc-redirection-test.patch b/debian/patches/oidc-redirection-test.patch new file mode 100644 index 0000000..cd4ea01 --- /dev/null +++ b/debian/patches/oidc-redirection-test.patch @@ -0,0 +1,52 @@ +Description: <short summary of the patch> + When LL::NG is configured as OIDC provider and we declare an OIDC RP without + configuring oidcRPMetaDataOptionsRedirectUris, the redirection to redirect_uri + set by the RP is always granted. + . + The OpenID Connect core specification [1] says: + . + redirect_uri + REQUIRED. Redirection URI to which the response will be sent. This URI + MUST exactly match one of the Redirection URI values for the Client + pre-registered at the OpenID Provider + . + To avoid breaking existing federations, the fix consists to refuse + configuration update without valid redirections. An entry in debian/NEWS + has to explain that configuration must be checked. + . + [1]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest +Author: Clément Oudot <clem.ou...@gmail.com> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/17e77d90 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-12-20 + +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm ++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm +@@ -630,6 +630,25 @@ + return 1; + }, + ++ # OIDC redirect URI must not be empty ++ oidcRPRedirectURINotEmpty => sub { ++ return 1 ++ unless ( $conf->{oidcRPMetaDataOptions} ++ and %{ $conf->{oidcRPMetaDataOptions} } ); ++ my @msg; ++ my $res = 1; ++ foreach my $oidcRpId ( keys %{ $conf->{oidcRPMetaDataOptions} } ) { ++ unless ( $conf->{oidcRPMetaDataOptions}->{$oidcRpId} ++ ->{oidcRPMetaDataOptionsRedirectUris} ) ++ { ++ push @msg, ++ "$oidcRpId OpenID Connect RP has no redirect URI defined"; ++ $res = 0; ++ next; ++ } ++ } ++ return ( $res, join( ', ', @msg ) ); ++ }, + }; + } + diff --git a/debian/patches/series b/debian/patches/series index 3325284..6b883f8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,6 @@ fix-missing-userControl.diff update-translations.diff CVE-2019-12046.patch CVE-2019-15941-and-other-OIDC-fixes.patch +CVE-2019-19791.patch +grantsession-with-2fa.patch +oidc-redirection-test.patch