On 11/20/24 09:26, Salvatore Bonaccorso wrote:
Hi,
On Sat, Nov 09, 2024 at 06:54:39PM +0400, Yadd wrote:
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is a Web-SSO. In Bookworm, it is vulnerable to:
- XSS issue into the "Upgrade" plugin that allow user to upgrade their
authentication level into current session (example, use a SSL card
instead of login/password)
- Escalation privilege when "Adaptative auth level" is used: user can
apply the benefit more than one time using the "refresh- session"
mechanism
[ Impact ]
Medium seciruty issues.
[ Tests ]
Test updated, passed
[ Risks ]
Low risk: patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- don't apply adaptative rules when session is refreshed
- apply the "chackXSS" method on "Upgrade" plugin URLs
[ Other info ]
These 2 issues will have a CVE number soon
FTR/context, those are CVE-2024-52946 and CVE-2024-52947.
Regards,
Salvatore
Hi Salvatore,
I added the CVE number into the debian/changelog when pushing the new
archive
Best regards,
Xavier
