Control: tags -1 + confirmed On Thu, 2020-01-23 at 22:36 +0100, Xavier Guimard wrote: > lemonldap-ng is vulnerable to several security issues. This > cumulative patch fixes them: > - CVE-2019-19791: bad default configuration which does not really > protect SOAP/REST endpoints > - When 2FA is used, the grantSession plugin does not filter > successful connections > - OIDC relying party restriction introduced in 2.0.0 does not work > when a previous federation was granted in the same session >
--- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,17 @@ +lemonldap-ng (2.0.2+ds-7+deb10u3) buster-security; urgency=high That should just be "buster". Please go ahead. Regards, Adam
