Bug#1067179: marked as done (ldap-account-manager: CVE-2024-23333)

Sun, 24 Mar 2024 23:45:24 -0700 

Your message dated Mon, 25 Mar 2024 07:43:31 +0100
with message-id <zgedew6chnxed...@eldamar.lan>
and subject line Re: Accepted ldap-account-manager 8.7-1 (source) into unstable
has caused the Debian Bug report #1067179,
regarding ldap-account-manager: CVE-2024-23333
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1067179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067179
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: ldap-account-manager
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for ldap-account-manager.

CVE-2024-23333[0]:
| LDAP Account Manager (LAM) is a webfrontend for managing entries
| stored in an LDAP directory. LAM's log configuration allows to
| specify arbitrary paths for log files. Prior to version 8.7, an
| attacker could exploit this by creating a PHP file and cause LAM to
| log some PHP code to this file. When the file is then accessed via
| web the code would be executed. The issue is mitigated by the
| following: An attacker needs to know LAM's master configuration
| password to be able to change the main settings; and the webserver
| needs write access to a directory that is accessible via web. LAM
| itself does not provide any such directories. The issue has been
| fixed in 8.7. As a workaround, limit access to LAM configuration
| pages to authorized users.

https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-23333
    https://www.cve.org/CVERecord?id=CVE-2024-23333

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message --- 
Source: ldap-account-manager
Source-Version: 8.7-1

On Sun, Mar 24, 2024 at 08:59:47PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sat, 16 Mar 2024 07:35:21 +0200
> Source: ldap-account-manager
> Architecture: source
> Version: 8.7-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Roland Gruber <p...@rolandgruber.de>
> Changed-By: Roland Gruber <p...@rolandgruber.de>
> Changes:
>  ldap-account-manager (8.7-1) unstable; urgency=medium
>  .
>    * new upstream release
> Checksums-Sha1:
>  48e7b3ee327d8cc690df25a3ca0fd933946450c0 2032 ldap-account-manager_8.7-1.dsc
>  1a6d6b51312f24a6fc9dc14afa4e35d6080d2e91 26974977 
> ldap-account-manager_8.7.orig.tar.bz2
>  3aaa4b404d7fec4f3fceb58c568c91b745dbe3fb 36440 
> ldap-account-manager_8.7-1.debian.tar.xz
>  ffabc1209321292ee6f16801a5438dbbe4dc520b 8124 
> ldap-account-manager_8.7-1_amd64.buildinfo
> Checksums-Sha256:
>  f1a0fa3cd1017aa6f96723fd1bbaa6814c20f211f168ac2c75c0c8da1f72c10f 2032 
> ldap-account-manager_8.7-1.dsc
>  009b369c7e28c42bfb5afa49aaad49f7e847e21e236343a39909002fed9b339e 26974977 
> ldap-account-manager_8.7.orig.tar.bz2
>  71788a98949ff4bbbf6f5fa7b129d6819918f9c411b558e9cfe5dbda52d3cce1 36440 
> ldap-account-manager_8.7-1.debian.tar.xz
>  a96749bd08fbe9b87f50d252990daaa69505029d4b2e537e734bb11fd280b0f5 8124 
> ldap-account-manager_8.7-1_amd64.buildinfo
> Files:
>  dd04e63d6c9fc5618f88d5ff75dd586d 2032 web optional 
> ldap-account-manager_8.7-1.dsc
>  45ebd3ccb52af332bea53234e5b92ee1 26974977 web optional 
> ldap-account-manager_8.7.orig.tar.bz2
>  c83d833ffc503bf499d51844c9f60c2b 36440 web optional 
> ldap-account-manager_8.7-1.debian.tar.xz
>  5199b864309ac9f90f320302416fdb79 8124 web optional 
> ldap-account-manager_8.7-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEERgUMsnxvIxsAsUimhHMGK3zwlLoFAmYAjRwACgkQhHMGK3zw
> lLq3QA/8DqsvyHD+t/Kb9BQVr0NJcJfOkc8pdJ0gwIKVAAhaA2ELwwfizTCH18a8
> xy0ZcjBaC2MIFB7tSOQKuYWCyCK1L5CElCs9GR6YQt7/ypgZtvtkv9TeWfcNL+qr
> /MxwC39jvVvP0wDhBH9ow3WeTQlYhcjSMDHX2PreaCa4m+P5tec+gocCJk1uqNUE
> y5Sl71tqeBS71Fu2OLvLZm8FIgf0Kb+tgcqVeOXb6qf8diUPm1zblWtUhIwzztZo
> 7TbaV3NvGfSdpJd/2kP/B3q+p3o1nFBleV3ROrUVksAW8UtvyMrUWObqPOrlFyCY
> 9LjyCex0vqpC1LWBJP0AJ0TWLqX+jMWkjAsHNAYFgBG3prIH1v5Zg5fFxB3o++Am
> xrYQadp2SplWlfgslq4aAkmwaRjX7TlIIxrUwee5CugQW/rH26/84uq2LcpOA6nW
> HT8E4jDSH0nlxTB7otexNOVxvQFFlePuQjldb3P+TWfFqeGKtYkCxMoISzskH0t+
> 3UySt5RSiubpQ0JWjExZmu62xdRHFui/ymK855LWBAJ8K553agwbGgOQ3wUOvd9k
> UQnOqZFhrMa63q3yNk9BbrjQrhRw+pb1Py4xRWtImf6Ji2dW0Rb45bsg8a/2BoYn
> y+ij6O+wG2S1AdwZtvDbeaLeBaDDLRahawEULx8nBxizNd/YHt4=
> =kAT/
> -----END PGP SIGNATURE-----

--- End Message ---

Reply via email to