Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id
<b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1085176,
regarding bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1085176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085176
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Lemonldap-ng <2.20.0 is vulnerable to a XSS injection (#1084979,
CVE-2024-48933)
[ Impact ]
Low security issue unless admin change default regex for logins
[ Tests ]
Passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add HTML escapes and change autofocus
Cheers,
Xavier
diff --git a/debian/NEWS b/debian/NEWS
index 0bb3cc914..0b5732a86 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,16 @@
+lemonldap-ng (2.16.1+ds-deb12u3) UNRELEASED; urgency=medium
+
+ Custom templates maybe vulnerable to XSS injection when default allowed
+ characters have been changed. To fix this, replace every
+
+ <TMPL_VAR NAME="LOGIN">
+
+ by
+
+ <TMPL_VAR NAME="LOGIN" ESCAPE=HTML>
+
+ -- Yadd <y...@debian.org> Tue, 15 Oct 2024 19:27:47 +0200
+
lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
A feature of OIDC allows the OpenID Provider to fetch the Authorization
diff --git a/debian/changelog b/debian/changelog
index 148164a94..c0bc25b80 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium
+
+ * Fix XSS issue (Closes: #1084979, CVE-2024-48933)
+
+ -- Yadd <y...@debian.org> Tue, 15 Oct 2024 20:59:06 +0200
+
lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
* Fix open redirection when OIDC RP has no redirect uris
diff --git a/debian/patches/CVE-2024-48933.patch
b/debian/patches/CVE-2024-48933.patch
new file mode 100644
index 000000000..eb666a0dd
--- /dev/null
+++ b/debian/patches/CVE-2024-48933.patch
@@ -0,0 +1,117 @@
+Description: Fix XSS vulnerability
+ A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3
+ allows remote attackers to inject arbitrary web script or HTML into the
+ login page via a username if userControl has been set to a non-default
+ value that allows special HTML characters.
+Author: Maxime Besson
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3232
+Bug-Debian: https://bugs.debian.org/1084979
+Forwarded: not-needed
+Applied-Upstream: 2.20.0,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/606
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2024-10-15
+
+--- a/lemonldap-ng-portal/site/coffee/portal.coffee
++++ b/lemonldap-ng-portal/site/coffee/portal.coffee
+@@ -295,12 +295,9 @@
+ if datas['choicetab']
+ authMenuTabs.tabs "option", "active", $('#authMenu a[href="#' +
datas['choicetab'] + '"]').parent().index()
+
+- if datas['login']
+- $("input[type=password]:first").focus()
+- else
+- # If there are no auto-focused fields, focus on first visible
input
+- if $("input[autofocus]").length == 0
+- $("input[type!=hidden]:first").focus();
++ # If there are no auto-focused fields, focus on first visible input
++ if $("input[autofocus]").length == 0
++ $("input[type!=hidden]:first").focus()
+
+ # Open links in new windows if required
+ if datas['newwindow']
+--- a/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl
+@@ -11,7 +11,7 @@
+ <div class="input-group-prepend">
+ <span class="input-group-text"><label for="userfield"
class="mb-0"><i class="fa fa-user"></i></label></span>
+ </div>
+- <input id="userfield" name="user" type="text" class="form-control"
value="<TMPL_VAR NAME="LOGIN">" trplaceholder="user" aria-required="true"/>
++ <input id="userfield" name="user" type="text" class="form-control"
value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="user"
aria-required="true"/>
+ </div>
+ <div class="input-group mb-3">
+ <div class="input-group-prepend">
+--- a/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl
+@@ -6,7 +6,7 @@
+ <div class="row">
+ <TMPL_IF NAME="SESSIONS">
+ <div class="card col border-secondary">
+- <div class="text-center bg-light text-dark"><b><span
trspan="activeSessions">ACTIVE SSO SESSIONS</span>: <u><TMPL_VAR
NAME="LOGIN"></u></b></div>
++ <div class="text-center bg-light text-dark"><b><span
trspan="activeSessions">ACTIVE SSO SESSIONS</span>: <u><TMPL_VAR NAME="LOGIN"
ESCAPE=HTML></u></b></div>
+ <table class="table table-sm table-hover text-center">
+ <thead>
+ <tr>
+--- a/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl
+@@ -5,7 +5,7 @@
+ <div class="input-group-prepend">
+ <span class="input-group-text"><label for="userfield" class="mb-0"><i
class="fa fa-user"></i></label></span>
+ </div>
+- <input id="userfield" name="user" type="text" class="form-control"
value="<TMPL_VAR NAME="LOGIN">" trplaceholder="mail" required
aria-required="true" />
++ <input id="userfield" name="user" type="text" class="form-control"
value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="mail" required
aria-required="true" />
+ </div>
+
+ <div class="input-group mb-3">
+--- a/lemonldap-ng-portal/site/templates/bootstrap/password.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/password.tpl
+@@ -17,11 +17,11 @@
+
+ <TMPL_IF NAME="LOGIN">
+ <div class="input-group mb-3">
+- <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN>" />
++ <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN
ESCAPE=HTML>" />
+ <div class="input-group-prepend">
+ <span class="input-group-text"><label for="staticUser"
class="mb-0"><i class="fa fa-user"></i></label></span>
+ </div>
+- <input id="staticUser" type="text" readonly class="form-control"
value="<TMPL_VAR NAME=LOGIN>" />
++ <input id="staticUser" type="text" readonly class="form-control"
value="<TMPL_VAR NAME=LOGIN ESCAPE=HTML>" />
+ </div>
+ </TMPL_IF>
+
+--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
+@@ -10,21 +10,21 @@
+ <div class="input-group-prepend">
+ <span class="input-group-text"><label for="userfield" class="mb-0"><i
class="fa fa-user"></i></label></span>
+ </div>
+- <input id="userfield" name="user" type="text" class="form-control"
value="<TMPL_VAR NAME="LOGIN">" trplaceholder="login" required
aria-required="true"/>
++ <input id="userfield" name="user" type="text" class="form-control"
value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="login" required
aria-required="true" <TMPL_UNLESS NAME="LOGIN">autofocus</TMPL_UNLESS> />
+ </div>
+ <div class="input-group mb-3">
+ <div class="input-group-prepend">
+ <span class="input-group-text"><label for="passwordfield"
class="mb-0"><i class="fa fa-lock"></i></label></span>
+ </div>
+ <TMPL_IF NAME="DONT_STORE_PASSWORD">
+- <input id="passwordfield" name="password" type="text"
class="form-control" trplaceholder="password" autocomplete="off" required
aria-required="true" aria-hidden="true"/>
++ <input id="passwordfield" name="password" type="text"
class="form-control" trplaceholder="password" autocomplete="off" required
aria-required="true" aria-hidden="true" <TMPL_IF
NAME="LOGIN">autofocus</TMPL_IF> />
+ <TMPL_IF NAME="ENABLE_PASSWORD_DISPLAY">
+ <div class="input-group-append">
+ <span class="input-group-text"><i id="toggle_password" class="fa
fa-eye-slash toggle-password"></i></span>
+ </div>
+ </TMPL_IF>
+ <TMPL_ELSE>
+- <input id="passwordfield" name="password" type="password"
class="form-control" trplaceholder="password" required aria-required="true"/>
++ <input id="passwordfield" name="password" type="password"
class="form-control" trplaceholder="password" required aria-required="true"
<TMPL_IF NAME="LOGIN">autofocus</TMPL_IF> />
+ <TMPL_IF NAME="ENABLE_PASSWORD_DISPLAY">
+ <div class="input-group-append">
+ <span class="input-group-text"><i id="toggle_password" class="fa
fa-eye-slash toggle-password"></i></span>
+--- a/lemonldap-ng-portal/site/templates/common/script.tpl
++++ b/lemonldap-ng-portal/site/templates/common/script.tpl
+@@ -20,7 +20,6 @@
+ {
+ "displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
+ "choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
+- "login":"<TMPL_VAR NAME="LOGIN">",
+ "newwindow":<TMPL_VAR NAME="NEWWINDOW" DEFAULT="0">,
+ "appslistorder":"<TMPL_VAR NAME="APPSLIST_ORDER">",
+ "activeTimer":<TMPL_VAR NAME="ACTIVE_TIMER" DEFAULT="0">,
diff --git a/debian/patches/series b/debian/patches/series
index e4acf948c..ff8b2d3b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ apply-user-control-to-authslave.patch
fix-open-redirection.patch
fix-open-redirection-without-OIDC-redirect-uris.patch
SSRF-issue.patch
+CVE-2024-48933.patch
--- End Message ---
--- Begin Message ---
Source: release.debian.org
Version: 12.8
Hi,
Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.
Regards,
Adam
--- End Message ---
