Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id
<540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1006377,
regarding buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1006377: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006377
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is vulnerable to password bypass (impact critical) in a very
unlikely setup (probability very low). CVE-2021-40874
[ Impact ]
In such configuration, a remote lemonldap-ng system that queries the
main lemonldap-ng system using internal lemonldap-ng protocol instead of
SAML/OpenID-Connect, accepts user with _wrong password; if and only if_
main lemonldap-ng system is configured to use both Kerberos and LDAP
authentication.
[ Tests ]
Tests passed, upstream new tests are excluded from this patch because
they need a major test framework update
[ Risks ]
Moderate risk, test coverage proves that package isn't broken with such
change
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Instead of setting login/password into result variables ($req->user),
RESTServer stores them in form and launch the whole authentication
process ($self->p->authProcess) instead of selected steps.
Same change is applied to CheckState plugin (no major risk here, this
plugin is reserved to LLNG administrators).
diff --git a/debian/changelog b/debian/changelog
index 4b8979ff9..bd7a21c44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,13 @@
+lemonldap-ng (2.0.2+ds-7+deb10u7) buster; urgency=medium
+
+ * Add gsfonts in recommended dependencies (Closes: #982534)
+ * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+
+ -- Yadd <y...@debian.org> Thu, 24 Feb 2022 16:31:07 +0100
+
lemonldap-ng (2.0.2+ds-7+deb10u6) buster-security; urgency=medium
- * Fix session cache corruption (Closes: CVE-2021-06-25)
+ * Fix session cache corruption (Closes: CVE-2021-35472)
* Fix trusted domain wildcard
* Fix trusted domain regexp
* Don't display TOTP secret to owner, neither in debug logs
diff --git a/debian/control b/debian/control
index be46d2783..48d4819b4 100644
--- a/debian/control
+++ b/debian/control
@@ -283,7 +283,8 @@ Depends: ${misc:Depends},
libjs-jquery-ui,
libjs-jquery-cookie,
libregexp-assemble-perl
-Recommends: libcrypt-openssl-bignum-perl,
+Recommends: gsfonts,
+ libcrypt-openssl-bignum-perl,
libconvert-base32-perl,
libemail-sender-perl (>=1.300027) |
libemail-sender-transport-smtps-perl,
libipc-run-perl,
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
index ee13a665a..f1f5897e0 100644
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,17 +1,7 @@
-include:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
- extends: .build-unstable
-
-reprotest:
- extends: .test-reprotest
-
-lintian:
- extends: .test-lintian
-
-autopkgtest:
- extends: .test-autopkgtest
-
-piuparts:
- extends: .test-piuparts
+---
+variables:
+ RELEASE: 'buster'
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/patches/CVE-2021-40874.patch
b/debian/patches/CVE-2021-40874.patch
new file mode 100644
index 000000000..2914135ed
--- /dev/null
+++ b/debian/patches/CVE-2021-40874.patch
@@ -0,0 +1,72 @@
+Description: Fix auth process in password-testing plugins (#2611)
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-02-24
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -68,7 +68,10 @@
+ my $res = PE_OK;
+
+ # 1. No user defined at all -> first access
+- unless ( $defUser and $req->method =~ /^POST$/i ) {
++ # _pwdCheck is a workaround to make CheckUser work while using a GET
++ unless ( $defUser
++ and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
++ {
+ $res = PE_FIRSTACCESS;
+ }
+
+@@ -162,6 +165,7 @@
+
+ sub setSecurity {
+ my ( $self, $req ) = @_;
++ return if $req->data->{skipToken};
+
+ # If captcha is enable, prepare it
+ if ( $self->captcha ) {
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
+@@ -41,15 +41,18 @@
+ }
+ if ( my $user = $req->param('user') and my $pwd = $req->param('password')
)
+ {
+- $req->user($user);
+- $req->data->{password} = $pwd;
++ $req->parameters->{user} = ($user);
++ $req->parameters->{password} = $pwd;
++ $req->data->{skipToken} = 1;
++
++ # This makes Auth::Choice use authChoiceAuthBasic if defined
++ $req->data->{_pwdCheck} = 1;
+
+ # Not launched methods:
+ # - "extractFormInfo" due to "token"
+ # - "buildCookie" useless here
+ $req->steps( [
+- 'getUser',
+- 'authenticate',
++ @{ $self->p->beforeAuth }, $self->p->authProcess,
+ @{ $self->p->betweenAuthAndData },
+ qw( setAuthSessionInfo setSessionInfo setMacros setGroups
+ setPersistentSessionInfo setLocalGroups store secondFactor),
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+@@ -229,11 +229,11 @@
+ }
+ $req->{id} = $id;
+ $req->{force} = 1;
+- $req->user( $req->param('user') );
+- $req->data->{password} = $req->param('password');
++ $req->parameters->{user} = $req->param('user');
++ $req->parameters->{password} = $req->param('password');
+ $req->steps( [
+ @{ $self->p->beforeAuth },
+- qw(getUser authenticate setAuthSessionInfo),
++ @{ $self->p->authProcess },
+ @{ $self->p->betweenAuthAndData },
+ $self->p->sessionData,
+ @{ $self->p->afterData },
diff --git a/debian/patches/series b/debian/patches/series
index 805ab4670..8d9090246 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ CVE-2021-35472.patch
fix-trusted-domain-wildcard.patch
fix-trusted-domain-regex.patch
dont-display-totp-secret.patch
+CVE-2021-40874.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.12
Hi,
The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.
Regards,
Adam
--- End Message ---
