Ubuntu
lemonldap-ng package

  1. Bug #1829016
  2. Activity log

Activity log for bug #1829016

Date Who What changed Old value New value Message
2019-05-14 13:32:33 Xavier Guimard bug added bug
2019-05-14 13:43:46 Xavier Guimard bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
2019-05-14 13:43:46 Xavier Guimard bug task added lemonldap-ng (Debian)
2019-05-14 14:29:48 Bug Watch Updater lemonldap-ng (Debian): status Unknown Fix Released
2019-05-15 23:12:26 Steve Beattie information type Private Security Public Security
2019-05-15 23:12:32 Steve Beattie lemonldap-ng (Ubuntu): status New Confirmed
2019-05-15 23:12:44 Steve Beattie lemonldap-ng (Ubuntu): importance Undecided High
2019-06-04 14:40:46 Xavier Guimard description Hi all, during an internal audit, one of lemonldap-ng's developers discovered an attack vector. It opens 3 security issues: - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are enabled (default) and tokens are stored in session DB (not default, used with poor load-balancers), the token can be used to open an anonymous short-life session (2mn). It allows one to access to all aplications without additional rules - [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are stored in sessions DB (not default), tokens can be used to have an anonymous session - [low] for every versions < 2.0.4 or 1.9.19: when self-registration is allowed, mail token can be used to have an anonymous session. You can find Debian patchs here: * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch 1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested. For more, see: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744 Cheers, Xavier (yadd) <yadd@debian.org> Hi all, during an internal audit, one of lemonldap-ng's developers discovered an attack vector. It opens 3 security issues:  - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are    enabled (default) and tokens are stored in session DB (not default,    used with poor load-balancers), the token can be used to open an    anonymous short-life session (2mn). It allows one to access to all    aplications without additional rules  - [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are    stored in sessions DB (not default), tokens can be used to have an    anonymous session  - [low] for every versions < 2.0.4 or 1.9.19: when self-registration    is allowed, mail token can be used to have an anonymous session. You can find Debian patchs here:  * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch  * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch 1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested. For more, see:  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744 Cheers, Xavier (yadd) <yadd@debian.org>
2019-06-25 11:50:17 Xavier Guimard cve linked 2019-12046
2019-06-25 11:51:54 Xavier Guimard tags community-security